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1  Executive  Summary 


The  project's  primary  focus  is  to  enhance  security  of  communications  over  wireless  networks  against 
various  threats.  Both  passive  and  active  threats  were  considered.  Two  important  characteristics  of  the 
developed  approach  are  as  follows. 

1.  Against  the  passive  threat  of  eavesdropping,  the  notion  of  security  adopted  under  this  effort  utilizes 
the  strong  notion  of  provable  security  pioneered  by  Shannon.  The  notion  of  provable  security 
has  been  used  in  obtaining  the  communication  limits  of  a  system  involving  multiple  receivers 
that  require  confidentiality  of  their  respective  messages  from  the  same  transmitter.  Perhaps  more 
importantly,  such  security  notion  has  been  used  in  devising  a  practically  useful  scheme  against  a 
random  eavesdropper  in  a  communication  network. 

2.  The  security  mechanism  developed  under  this  effort  invariably  relies  on  physical  layer  implementa¬ 
tion.  As  physical  layer  is  the  first  layer  that  a  user  interfaces  with  the  transmission  medium  hence 
with  other  nodes  in  the  system,  a  strong  security  approach  at  the  physical  layer  is  desired.  This 
is  particularly  important  in  defending  against  primary  user  emulation  attack  in  a  cognitive  radio 
network. 

Besides  of  the  Principle  Investigator,  there  are  a  total  of  five  graduate  students  who  have  involved 
in  this  project,  including  one  who  has  graduated  and  four  current  students: 

•  Dr.  Jin  Xu,  who  graduated  in  2010  and  has  since  joined  Microsoft  Inc.  in  2010; 

•  Kapil  Borle; 

•  Fangrong  Peng; 

•  Earnest  Akofor; 

•  Shengyu  Zhu. 

The  research  effort  lead  to  three  major  contributions  in  wireless  cybersecurity  which  we  summarize 
below. 

Wireless  Broadcast  Channel  With  Confidential  Messages  We  consider  a  wireless  broadcast 
channel  where  a  source  node  is  communicating  to  two  or  more  sink  nodes.  While  the  wireless 
broadcast  nature  enables  each  receiver  to  receive  a  noisy  version  of  the  same  transmitted  signal,  the 
design  challenge  is  to  ensure  the  confidentiality  of  the  messages  intended  for  individual  receivers. 
Specifically,  the  confidential  message  intended  for  any  one  of  the  sink  nodes  should  be  kept  secret 
from  the  other  nodes.  In  other  words,  each  sink  node  is  considered  as  an  eavesdropper  for  the  other 
sink  nodes  in  the  network.  Communication  limits  are  derived  under  various  channel  conditions 
that  ensure  provable  security  of  messages  intended  for  individual  receivers. 
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Simulcasting  Over  Networks  This  part  deals  with  a  communication  network  where,  in  the  absence 
of  a  direct  link,  the  source  node  needs  to  communicate  to  a  sink  node  via  multiple  intermediate 
nodes  serving  as  relay  nodes.  The  entire  network  is  assumed  to  form  an  acyclic  planar  network. 
The  specific  threat  that  we  considered  is  the  so-called  non-cooperating  eavesdropping  threat  on 
the  links.  An  alternative  interpretation  is  that  there  is  a  single  adversary  who  can  eavesdrop,  at 
any  given  time,  on  a  single  link  and  the  location  of  the  eavesdropper  is  unknown  to  the  source 
and  sink  nodes.  The  proposed  scheme  combines  Shannon's  one-time  pad  scheme  together  with 
the  modified  Ford-Fulkerson  algorithm  that  ensures  provable  security  of  messages  in  the  presence 
of  the  above  eavesdropping  threat. 

PHY  Layer  Authentication  Against  PUE  Attack  A  physical  layer  authentication  scheme  is 
proposed  for  cognitive  radio  against  the  Primary  User  Emulation  attack  where  an  adversary  emulate 
primary  user’s  transmission  with  the  intent  of  hijacking  the  spectrum  and  disrupting  network 
access.  The  authentication  scheme  relies  on  physical  layer  scheme  where  constellation  perturbation 
is  introduced  for  authentication  purpose. 

The  first  two  contributions  listed  above  constitute  the  major  parts  of  the  following  doctoral  disser¬ 
tation,  which  is  also  attached  as  an  appendix: 

•  J.  Xu,  An  Information  Theoretic  Approach  to  Provabiy  Secure  Communications,  Ph.D.  Disserta¬ 
tion,  Syracuse  University,  2010. 

In  addition,  the  research  effort  has  also  led  to  two  (2)  archival  journal  publications  and  four  (4) 
peer-reviewed  conference  proceeding  papers  listed  below. 

•  J.  Xu,  Y.  Cao,  and  B.  Chen,  “Capacity  bounds  for  broadcast  channels  with  confidential  messages," 
IEEE  Transactions  on  Information  Theory,  vol.  55,  pp.  4529-4542,  October  2009. 

•  J.  Xu  and  B.  Chen,  “Secure  coding  over  networks  against  non-cooperative  eavesdropping,”  to 
appear  in  IEEE  Trans.  Information  Theory,  2013. 

•  K.  Borle,  B.  Chen  and  W.  Du,  “A  physical  layer  authentication  scheme  for  countering  primary  user 
emulation  attack,”  submitted  to  IEEE  International  Conference  on  Acoustic  Speech  and  Signal 
Processing  (ICASSP2013),  Vancouver,  Canada,  May  2013. 

•  F.  Peng,  H.  Chen,  and  B.  Chen,  “On  energy  detector  for  cooperative  spectrum  sensing,”  Proc. 
Annual  Conference  on  Information  Sciences  and  Systems,  Princeton,  NJ,  March  2012. 

•  X.  Tan,  K.  Borle,  W.  Du,  and  B.  Chen,  “Cryptographic  link  signatures  for  spectrum  usage  authen¬ 
tication  in  cognitive  radio,”  ACM  Conference  on  Wireless  Network  Security  (WiSec),  Hamburg, 
Germany,  June  2011. 
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•  J.  Xu  and  B.  Chen,  "Secure  coding  over  networks,”  Proc.  IEEE  International  Symposium  on 
Information  Theory ,  Seoul,  Korea,  June-July  2009. 

A  patent  application  was  filed  that  described  the  technology  developed  under  this  effort: 

•  Inventer:  J.  Xu  and  B.  Chen,  Patent  Title:  Method  For  Secure  Communication  Over  Heteroge¬ 
neous  Networks,  US  Patent  Filed  June  2010,  Publication  number:  US  2010/0313021  Al. 

The  rest  of  the  report  consists  of  three  sections,  corresponding  to  the  above  three  major  contribu¬ 
tions.  The  appendix  includes  the  dissertation  of  Jin  Xu.  The  report  itself  provides  a  synopsis  of  the 
proposed  scheme;  details  about  the  proposed  approaches  can  be  found  in  the  above  papers  available  in 
open  literature. 


2  Broadcast  Channels  with  Confidential  Messages 


Consider  a  situation  where  a  single  transmitter  (source  node)  needs  to  simultaneously  communicate  to 
two  or  more  receivers  (sink  nodes).  A  classical  example  is  the  downlink  in  a  cellular  system  where  a 
base  station  needs  to  communicate  to  multiple  mobile  stations.  An  example  relevant  to  the  air  force  is 
the  situation  where  an  airplane,  manned  or  unmanned,  needs  to  send  independent  messages  to  multiple 
parties  on  the  ground. 

Classical  study  of  provable  secure  communication  assumes  that  the  source  node  needs  to  commu¬ 
nicate  a  confidential  message  to  a  single  sink  node  [?].  While  the  other  nodes  can  also  hear  a  noisy 
version  of  the  transmitted  signal,  the  design  objective  is  to  ensure  that  all  other  nodes  are  kept  ignorant 
of  the  confidential  message.  Here,  the  ignorance  is  measured  using  a  classical  information  theoretic 
notion,  namely  equivocation,  i.e.,  conditional  entropy. 

Our  work  generalizes  this  model  to  a  situation  where  the  source  node  may  have  multiple  confidential 
messages,  one  for  each  of  the  sink  nodes.  The  objective  is  to  ensure  reliable  recovery  of  each  message 
at  its  intended  receiver  while  keeping  it  secret  from  all  other  unintended  receivers.  A  simple  two  user 
example  is  illustrated  in  Figure  1. 


Figure  1:  Broadcast  channel  with  two  confidential  messages  W\,W2  and  one  common 
message  Wq 


We  have  successfully  characterized  the  trade-off  between  throughput  and  confidentiality  under  the 
constraint  that  the  messages  need  to  be  reliably  recovered  at  their  intended  receivers.  The  work  is  of  very 
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fundamental  nature;  as  such,  the  contributions  to  the  research  community  lie  largely  in  helping  advance 
our  basic  understanding  of  the  many  fundamental  trade-offs  pertaining  to  high  data  rate  provable 
secure  communications  as  well  as  to  basic  network  information  theory  research.  As  an  illustration,  it 
was  observed  that  non-zero  rate  secure  communication  can  be  simultaneously  attained  for  different  users 
in  the  network  under  suitable  channel  conditions.  Technical  details  related  to  this  work  can  be  found  in 

•  J.  Xu,  Y.  Cao,  and  B.  Chen,  “Capacity  bounds  for  broadcast  channels  with  confidential  messages," 
IEEE  Transactions  on  Information  Theory,  vol.  55,  pp.  4529-4542,  October  2009. 

•  J.  Xu,  An  Information  Theoretic  Approach  to  Provably  Secure  Communications,  Ph.D.  Disserta¬ 
tion,  Syracuse  University,  2010. 


3  Cybersecurity  for  Networks  Against  Non-Cooperating  Eaves¬ 
dropping 

The  problem  of  concern  here  is  the  confidentiality  of  messages  communicated  over  a  network  that  is  sub¬ 
ject  to  non-cooperative  eavesdropping,  and  A  single-source  single-sink  acyclic  planar  network  is  assumed 
and  each  link  in  the  network  may  be  noisy  or  noiseless.  The  so-called  non-cooperative  eavesdropping 
describes  the  passive  threat  of  multiple  non-colluding  eavesdropper  in  a  network.  Alternatively,  one  can 
consider  the  existence  of  a  single  eavesdropper  yet  its  precise  location  in  the  network  is  unknown  to  the 
source  and  sink  node. 

To  motivate  our  work  as  well  as  to  illustrate  the  proposed  approach,  we  consider  the  simplest  non¬ 
trivial  network  composed  of  two  parallel  links,  as  sketched  in  Figure  2.  Given  that  the  adversary  can 
only  eavesdrop  on  one  of  the  two  links  of  his/her  choice  but  not  both,  an  intuitively  simple  secure 
communication  scheme  is  as  follows.  Communicate  via  link  1  a  secret  key;  in  link  2,  transmit  the 
encrypted  message  using  the  one-time  pad  approach  with  the  key  communicated  via  link  1.  Message 
confidentiality  is  guaranteed  by  the  provable  security  of  one-time  pad  if  the  adversary  (Eve  2)  eavesdrops 
on  link  2.  On  the  other  hand,  eavesdropping  on  link  1  (Eve  1)  yields  only  the  secret  key  which  is 
completely  independent  of  the  message.  One  can  indeed  prove,  using  simple  information  theoretic 
argument,  that  such  approach,  as  well  as  its  generalization  to  multiple  parallel  links,  is  indeed  optimal. 
That  is,  there  is  no  other  schemes  that  can  achieve  a  better  secure  throughput  for  such  parallel  networks. 

The  challenge  is  to  extend  the  above  intuitive  scheme  to  a  network  consisting  of  interconnected  nodes 
that  do  not  form  parallel  and  disjoint  paths.  The  general  model  is  illustrated  in  Figure  3  where  each 
link  in  the  network  is  subject  to  non-cooperating  eavesdropping.  We  have  succeeded  in  characterizing 
the  secure  throughput  for  such  a  network  with  a  given  topology  and  link  capacities  with  the  additional 
requirement  that  the  network  be  acyclic  and  planar.  The  obtained  region  is  shown  to  be  optimal  when 
specializing  to  several  special  networks.  Furthermore,  the  result  is  easily  generalizable  to  networks  with 
noisy  links,  making  the  approach  applicable  to  wireless  networks. 
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Eve  1 


Alice 


Figure  2:  A  motivating  example  of  secure  communication  over  multiple  links. 

Technical  details  can  be  found  in 

•  J.  Xu  and  B.  Chen,  “Secure  coding  over  networks  against  non-cooperative  eavesdropping,”  to 
appear  in  IEEE  Trans.  Information  Theory,  2013. 

•  J.  Xu,  An  Information  Theoretic  Approach  to  Provably  Secure  Communications,  Ph.D.  Disserta¬ 
tion,  Syracuse  University,  2010. 

The  contribution  to  the  community  lies  both  in  its  theoretical  significance  as  it  is  the  first  charac¬ 
terization  of  the  throughput-security  tradeoff  for  such  networks,  as  well  as  its  practical  ramifications. 
The  constructive  proof  used  to  establish  the  result  combines  Shannon's  key  encryption  and  the  Ford- 
Fulkerson  algorithm,  and  constitutes  a  readily  implementable  secure  coding  scheme  for  provably  secure 
communications.  This  technology  has  led  to  a  US  patent  application. 

•  Inventer:  J.  Xu  and  B.  Chen,  Patent  Title:  Method  For  Secure  Communication  Over  Heteroge¬ 
neous  Networks,  US  Patent  Filed  June  2010,  Publication  number:  US  2010/0313021  Al. 


4  Physical  Layer  Authentication  Against  PEU  Attack 

Cognitive  radio  has  been  proposed  as  a  way  to  free  up  wireless  spectrum  that  exploits  sporadic  traffic 
patterns  of  users  to  whom  the  spectrum  is  assigned  to.  When  such  so-called  primary  users  are  not 
transmitting,  there  is  strong  incentives  to  free  up  the  spectrum  to  accommodate  the  secondary  users. 
However,  such  an  approach,  together  with  the  broadcast  nature  of  wireless  transmissions,  makes  cogni¬ 
tive  radio  system  susceptible  to  various  attacks.  Of  interest  here  is  the  so-called  Primary  User  Emulation 
(PUE)  attack  where  an  adversary  impersonates  the  primary  user  thereby  effectively  hijacks  the  spectrum 
as  it  prevents  any  legitimate  secondary  users  from  transmitting. 

Existing  systems  authenticate  through  high  layers  (e.g.,  application  layer)  where  the  signal  needs 
to  be  decoded  first  prior  to  authentication.  This  not  only  introduces  longer  delay,  but  it  also  requires 
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Figure  3:  An  example  of  network  with  non-cooperating  eavesdropping 


that  the  secondary  users  be  able  to  decode  the  messages  from  the  primary  transmitter  -  this  may 
potentially  lead  to  other  security  vulnerability  as  those  messages  are  only  intended  for  the  primary 
receiver.  The  uniqueness  of  the  proposed  solution  for  primary  user  authentication  in  the  physical  layers 
can  be  summarized  in  the  following  aspects. 

•  The  proposed  approach  utilizes  physical  layer  authentication.  As  such,  secondary  users  do  not  need 
to  decode  the  actual  messages  from  the  primary  users,  preventing  potential  security  loopholes. 

•  All  the  legacy  receivers  (i.e.,  primary  receivers)  do  not  need  to  be  modified.  The  embedding  of 
authentication  signature  is  transparent  to  those  receivers  (e.g.,  TV  sets)  who  are  interested  in 
receiving  primary  users'  transmission. 

•  The  proposed  scheme  applies  to  any  digital  modulation  schemes  and  provides  ability  to  trade  off 
reliabilities  for  authentication  at  secondary  users  and  for  message  reception  at  primary  receivers. 

The  proposed  scheme  does  require  modification  of  the  primary  user's  circuitry.  Nevertheless,  the 
modification  is  minor  and  can  be  implemented  in  the  ‘software’  domain  for  those  systems  with  pro¬ 
grammable  radio  capability.  The  gain  is  its  significantly  simplified  authentication  requirement  at  the 
secondary  users  as  well  as  its  transparency  for  primary  receivers. 

The  basic  idea  of  the  proposed  approach  is  to  embedding  a  digital  signature  into  the  digital  con¬ 
stellation  at  the  primary  transmitter.  To  an  uninformed  receiver,  the  embedded  signature  induces  a 
negligible  amount  of  perturbation  to  the  signal  constellation,  much  like  the  effect  of  the  channel  noise. 
On  the  other  hand,  to  an  informed  receiver,  such  signature  can  be  detected  by  combining  received  sig¬ 
nal  spanning  multiple  symbol  intervals.  The  detection  technology  is  tantamount  to  that  used  in  spread 
spectrum  technology.  As  such,  trade-off  between  the  noisy  effect  on  primary  user's  signal  and  authen- 
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tication  reliability  can  be  controlled  by,  for  example,  choosing  appropriate  signal  power  and  spreading 
gain.  A  proof  of  concept  study  has  been  reported  in  the  following  paper. 

•  X.  Tan,  K.  Borle,  W.  Du,  and  B.  Chen,  “Cryptographic  link  signatures  for  spectrum  usage  authen¬ 
tication  in  cognitive  radio,”  ACM  Conference  on  Wireless  Network  Security  (WiSec),  Hamburg, 
Germany,  June  2011. 

The  scheme  described  in  the  above  is  geared  toward  the  particular  Quadrature  Phase  Shift  Keying 
(QPSK)  because  of  the  embedding  scheme  that  is  not  circularly  symmetric.  We  have  investigated 
extensions  to  arbitrary  Quadrature  Amplitude  Modulation  (QAM)  scheme.  Notice  that  QPSK  is  a  very 
special  case  of  QAM  in  that  all  constellation  points  are  evenly  distributed  on  a  scaled  unit  circle  whereas 
general  QAM  modulations  do  not  have  the  constant  modulo  property.  An  intuitive  scheme  to  embed  the 
authentication  tag  through  a  constant  phase  shift  for  each  bit  is  currently  being  studied.  The  scheme 
illustrated  in  Fig.  4  for  a  general  16QAM  constellation  where  the  tag  bit  is  embedded  in  a  constant  phase 
shift  for  all  constellation  points.  Alternatively,  one  can  introduce  a  perturbation  that  maintains  constant 
SNR  degradation  at  each  constellation  point.  We  have  established  in  the  following  paper  the  optimality 
of  the  latter  approach  and  have  also  included  detailed  analysis  of  the  trade-off  between  authentication 
and  symbol  detection  for  the  primary  user. 

•  K.  Borle,  B.  Chen  and  W.  Du,  “A  physical  layer  authentication  scheme  for  countering  primary  user 
emulation  attack,”  submitted  to  IEEE  International  Conference  on  Acoustic  Speech  and  Signal 
Processing  (ICASSP2013),  Vancouver,  Canada,  May  2013. 
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Figure  4:  Tag  embedding  for  a  general  QAM  constellation.  With  tag  bit  +1,  the 

constellation  points  take  a  constant  phase  in  the  counter  clock-wise  direction 
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Abstract 


With  the  rapid  deployment  of  new  wireless  devices  and  pervasive  use  of  wireless  data 
and  voice  services,  the  demand  for  reliable  and  secure  communications  is  becoming 
more  and  more  urgent.  The  focus  of  this  thesis  is  on  the  fundamental  trade-off  among 
throughput,  reliability,  and  security  of  various  wireless  networks.  Our  study  adopts 
the  notion  of  provable  security  from  an  information  theoretic  perspective.  Using 
equivocation  to  measure  the  confidentiality  of  messages,  we  establish,  for  various 
communication  models,  the  fundamental  rate-equivocation  trade-off. 

We  first  study  capacity  bounds  for  discrete  memoryless  broadcast  channels  with 
two  confidential  messages,  which  is  a  generalization  of  Csiszar  and  Korner’s  classical 
model.  The  outer  bounds  are  proposed  for  the  rate  equivocation  region  of  this  channel 
model,  which,  together  with  a  previously  proposed  inner  bound,  help  establish  the 
rate  equivocation  region  of  several  classes  of  discrete  memoryless  broadcast  channels. 
Furthermore,  specializing  to  the  general  broadcast  channel  by  removing  the  confiden¬ 
tiality  constraint,  the  proposed  outer  bounds  reduce  to  new  capacity  outer  bounds 
for  the  discrete  memorylesss  broadcast  channel. 

Next,  we  consider  another  variation  of  Csiszar  and  Korner’s  model.  The  transmit¬ 
ter  sends  both  a  confidential  message  and  a  non-conhdential  message  (public  message) 
to  the  intended  receiver.  While  the  unintended  receiver  should  be  kept  ignorant  from 
the  confidential  message,  we  do  not  impose  the  requirement  that  the  public  mes¬ 
sage  needs  to  be  perfectly  recovered  by  the  unintended  receiver.  This  more  liberal 


treatment  of  the  non-confidential  message  is  perhaps  a  more  reasonable  model  than 
Csiszar  and  Korner’s  model  where  the  non-confidential  message  (common  message) 
is  required  to  be  decoded  by  both  receivers.  A  single-letter  characterization  of  the 
achievable  rate  equivocation  region  of  this  model  is  given  and  the  result  is  then  ex¬ 
tended  to  the  case  when  an  extra  secret  key  is  available  to  the  transmitter  and  the 
intended  receiver. 

Utilizing  the  developed  framework  of  broadcast  channels  with  confidential  and 
public  messages,  we  further  study  the  problem  of  secure  communication  over  a  net¬ 
work  in  which  each  link  may  be  noisy  or  noiseless.  A  single-source  single-sink  acyclic 
planar  network  is  assumed,  and  the  communication  between  the  source  and  the  sink 
is  subject  to  non-cooperating  eavesdropping  on  each  link.  Sufficient  conditions,  in 
terms  of  communication  rates  and  network  parameters,  are  found  for  provably  secure 
communication.  A  constructive  proof,  which  combines  Shannon’s  key  encryption, 
Wyner’s  random  coding,  and  the  Ford- Fulkerson  algorithm,  is  provided  which  con¬ 
stitutes  a  readily  implementable  secure  coding  scheme  for  provably  secure  communi¬ 
cations.  The  derived  achievable  rate  equivocation  region  is  tight  when  specializing 
to  several  special  cases.  In  particular,  when  the  communication  network  decouples 
into  non-overlapping  parallel  paths,  the  proposed  encoding  scheme  is  optimal,  i.e.,  it 
achieves  the  secure  communication  capacity  for  such  networks. 
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Chapter  1 


Introduction 


The  advances  of  today’s  communication  networks,  both  wired  and  wireless,  have 
dramatically  improved  its  accessibility  and  affordability.  As  such,  people  have  become 
increasingly  dependent  on  their  ability  to  stay  connected,  both  in  their  personal  and 
professional  lives.  Maintaining  the  integrity  and  security  of  the  information  flowing 
over  the  ever  pervasive  networks  is  thus  of  critical  importance  for  both  privacy  and 
business  or  national  security  reasons. 

Existing  mechanisms  to  ensure  the  communication  network  security  largely  rely 
on  the  symmetric  key  and  public/private  key  infrastructures  that  were  developed 
since  1970s  with  the  advent  of  computer  networks.  While  they  have  been  fairly 
successful  in  providing  robust  security  performance  against  some  common  security 
threats,  its  vulnerability  has  also  been  exploited  through  various  deliberate  attacks  [4] . 
For  example,  RSA-129  Factoring  Challenge  Project  is  successfully  attacked  in  1994; 
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DES  system  with  a  shorter  key  length  was  cracked  in  1997;  Netscape  SSL  RC4  was 
successfully  attacked  within  months  of  its  release. 

These  examples  are  not  entirely  surprising;  these  existing  security  schemes  are 
based  primarily  on  some  unproven  hypotheses  on  the  difficulty  of  certain  problems. 
Even  without  taking  into  account  potential  advances  of  cryptanalysis,  the  exponen¬ 
tially  increasing  computing  power  as  predicted  by  Moore’s  law  kept  raising  the  bar 
for  data  security.  More  importantly,  the  emergence  of  potentially  new  computing 
paradigms  may  completely  change  the  entire  landscape.  For  example,  under  the 
quantum  computing  regime,  factoring  prime  numbers  requires  only  polynomial  time 
(i.e.,  Shor’s  algorithm).  This  will  render  the  current  RSA-based  [5]  public-key  cryp¬ 
tographic  primitives  obsolete. 

Therefore,  it  is  imperative  for  us  to  give  more  attention  to  the  notion  of  uncondi¬ 
tional  (provable)  security,  where  we  can  assume  that  adversaries  have  infinite  comput¬ 
ing  power.  Such  notion  of  provable  security  was  pioneered  by  Claude  E.  Shannon  in 
1948  [6]  from  an  information  theoretic  perspective.  This  thesis  intends  to  apply  this 
strong  notion  of  security  to  more  sophisticated  communication  systems.  Contrary  to 
existing  key  primitive  based  approaches,  security  is  assured  even  if  the  adversary  is 
assumed  to  have  infinite  computing  power.  In  the  following,  we  review  related  works 
about  the  information-theoretic  security. 
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1.1  Shannon  Cipher  System 


A  Shannon  cipher  system,  as  depicted  in  Fig.  1.1,  involves  two  communicating  parties 
(Bob  and  Alice)  and  an  eavesdropper  (Eve).  A  private  key  K  is  shared  by  Bob  and 
Alice  that  is  completely  unknown  to  Eve.  Bob  uses  K  to  encrypt  the  secret  message 
S  into  ciphertext  C  while  Alice  uses  K  to  decipher  C  back  to  S.  In  information 
theoretic  terms,  perfect  secrecy  is  said  to  be  achieved  when  H(S\C)  =  H(S)  but 
H(S\C,  K)  =  0  where  H(-)  is  the  usual  Shannon  entropy  function  (see  [7]).  Thus, 
given  C  alone,  Eve  gains  no  information  about  S,  while  if  both  C  and  K  are  given 
(as  for  Alice),  S  can  be  completely  recovered.  Shannon  established  in  [1]  a  somewhat 
surprising  result:  perfect  secrecy  is  guaranteed  only  if  H(K )  >  H(S),  i.e.,  the  key 
size  is  at  least  as  large  as  the  source  message. 


K  K 


Figure  1.1:  The  Shannon  cipher  system. 


Here,  the  notion  of  secrecy  is  in  the  strongest  possible  sense:  security  is  indepen- 
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dent  of  any  hypothesis  on  the  intractability  of  certain  computational  problem  or  any 
assumption  of  limited  computing  power  for  Eve.  While  this  establishes  provable  se¬ 
curity  of  the  so-called  one-time  pad  scheme,  the  excessive  requirement  on  the  key  size 
essentially  forebodes  a  negative  result:  any  key-based  encryption  scheme  is  almost 
always  not  provably  secure  as  the  key  size  requirement  precludes  any  hope  of  dynamic 
key  exchange.  It  is  inconceivable  to  be  able  to  store  infinite  length  private  key  or  to 
have  steady  and  secure  key  exchange/extraction  to  sustain  secure  communication  in 
the  digital  era. 

1.2  Provable  Security  for  Noisy  Channels 

Although  Shannon  showed  that  the  one-time  pad  scheme  can  achieve  perfect  secrecy 
as  a  cryptographic  encoding  technique,  his  result  appears  to  rule  out  the  pursuit 
of  absolute  security  in  light  of  its  excessive  key  requirement.  Wyner  in  his  seminal 
work  in  1975  [2]  rekindled  the  promise  of  achieving  provable  security  in  practical 
communication  systems.  The  pivot  lies  in  the  very  basic  model  assumed  in  Shannon’s 
original  work  [1]:  in  Shannon’s  model,  the  encrypted  message  C  is  available  error  free 
to  both  intended  and  unintended  receivers.  In  the  context  of  wireless  transmission, 
for  example,  this  error  free  assumption  is  not  realistic.  Instead  Wyner  studied  a 
noisy  communication  system  that  is  being  eavesdropped  via  another  noisy  channel. 
Fig.  1.2  portrays  this  scenario  using  binary  symmetric  broadcast  channel  (BSBC) 
models,  where  the  two  friendly  users  (Bob  and  Alice)  share  information  over  a  main 
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noisy  channel  ( Vn  is  the  binary  noise)  and  a  passive  eavesdropper  (Eve)  observes 
a  degraded  version  of  the  information  through  a  wiretap  channel,  i.e. ,  Eve  sees  an 
additional  noise  Wn. 


Vn 


Eve 


Figure  1.2:  Wyner’s  wiretap  channel  model. 

Wyner  established  in  [2]  that  provably  secure  communication  can  indeed  be  achieved 
for  communication  over  noisy  wiretap  channels  in  the  absence  of  private  keys.  Wyner’s 
breakthrough  lies  on  its  innovative  use  of  channel  coding.  Instead  of  considering  en¬ 
cryption  and  error  correction  as  residing  two  separate  function  layers,  Wyner  adopted 
a  random  coding  approach  that  can  simultaneously  achieve  reliability  (i.e.,  error  cor¬ 
rection)  and  security  (i.e.,  data  encryption).  The  key  idea  of  random  coding  is  to 
utilize  the  excessive  channel  capacity  of  the  main  channel  over  the  wiretap  channel. 
Since  the  wiretap  channel  is  a  degraded  version  of  the  main  channel,  the  transmitter 
can  prudently  choose  a  codeword  of  suitable  rate  such  that  it  can  be  reliably  recovered 
by  the  better  (main)  channel  but  is  completely  protected  against  the  eavesdropper 
who  sees  a  worse  channel.  This  idea  is  illustrated  pictorially  in  Fig.  1.3.  Through 
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information-theoretic  argument,  Wyner  proved  that  if  the  communication  rate  is  be¬ 
low  the  so-called  excess  capacity  between  the  main  channel  and  wiretap  channel, 
reliable  and  provable  secure  communication  is  possible  through  random  coding. 


Figure  1.3:  An  illustration  of  random  coding  of  BSBC.  The  main  channel  has  better 
resolution  so  that  the  colors  of  these  dots  in  the  codebook  space  (i.e.  the  information 
rate)  can  be  recovered  by  the  main  channel  while  the  eavesdropper  can  not  distinguish 
due  to  the  worse  channel. 

Wyner’s  work  pioneered  research  on  physical  layer  security  of  wireless  communi¬ 
cation  system  and  various  extensions  and  generalizations  to  a  broad  range  of  wireless 
channel  models  have  been  reported  in  the  literature  (see  [8]  and  references  therein). 
One  of  the  major  innovative  points  of  Wyner’s  approach  to  provable  security,  as  al¬ 
luded  before,  is  the  integration  of  channel  coding  and  message  encryption  through 
the  use  of  random  coding.  This  contrasts  with  the  conventional  approach  where  data 
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encryption  is  carried  out  at  the  application  layer  which  is  far  above  the  physical  layer 
where  channel  coding  is  implemented.  This  contrast  is  illustrated  in  Fig.  1.4. 


(b)  Physical  layer  secure  communication 

Figure  1.4:  The  comparison  of  the  conventional  encryption  based  secure  communica¬ 
tion  and  the  physical  layer  secure  communication. 


Wyner’s  model,  while  capturing  the  noisy  nature  of  wireless  medium,  is  somewhat 
restrictive  because  of  its  assumption  of  a  degraded  channel  model.  This  assumption 
was  later  relaxed  by  Csiszar  and  Korner  in  their  celebrated  work  in  [3]  where  a  general 
broadcast  channel  is  studied.  In  their  model,  in  addition  to  a  confidential  message 
that  is  to  be  protected  from  the  unintended  receiver,  there  is  also  a  non-conhdential 
message  (referred  to  as  the  common  message  in  the  context  of  the  classical  broadcast 
channel)  that  is  required  to  be  decoded  by  both  receivers.  In  Fig.  1.5,  we  summarize 
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the  difference  of  the  three  classical  models  studied  by  Shannon,  Wyner  and  Csiszar 


and  Korner,  respectively. 


Wyner’s  model 

Csiszar  and  Korner’s  model 

shannon’s  model  (A'  =  Y  =  Z) 

Bob  ( S ) 

Bob  (S,  T) 

Bob  (5) 

X 

X 

X 

Y  Z 

Y  Z 

Y  Z 

Alice  ( S )  Eve  (S) 

Alice  ( S ,  T)  Eve  {S,  T) 

Alice  (S)  Eve  (S) 

Figure  1.5:  Summary  of  classical  models  studied  in  [1-3].  S,  T  are  the  confidential 
and  common  messages  respectively;  S  means  S  is  required  to  be  protected  against 
Eve;  X ,  Y,  Z  are  the  channel  input  and  outputs. 

Since  then,  there  have  been  considerable  efforts  on  generalizing  these  studies  to 
various  multi-user  channel  models  (see  [8-24]  and  references  therein).  The  obtained 
results  are  rather  encouraging  and  our  understanding  of  the  fundamental  trade-off 
between  rate  and  security  for  many  classical  multi-user  network  models  have  been 
advanced  significantly.  However,  the  results  are  obtained  largely  for  systems  with 
a  very  small  number  of  nodes  and  in  most  cases,  the  way  the  results  were  derived 
does  not  provide  any  insight  on  how  these  trade-offs  can  be  achieved.  This  is  not 
surprising,  since  the  characterization  of  communication  limits  of  a  number  of  wireless 
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channel  modes  without  the  security  constraint  still  remains  open.  This  thesis  makes 
progress  in  the  following  two  aspects.  First,  we  study  a  generalization  and  a  variation 
of  the  classical  broadcast  channels  with  confidential  messages  and  characterize  the 
rate-confidentiality  trade-offs.  Second,  we  consider  a  very  general  wireless  or  wired 
networks  in  which  communications  between  two  nodes  go  through  multiple  nodes  in 
the  network  and  characterize  the  rate-equivocation  trade-off  under  non-cooperative 
eavesdropping.  We  now  give  a  detailed  description  of  this  thesis  below. 

1.3  Outline  of  Thesis 

The  rest  of  the  dissertation  is  divided  into  three  major  parts.  In  Chapter  2,  we  study  a 
generalized  Csiszar  and  Korner’s  model,  namely  discrete  memoryless  broadcast  chan¬ 
nels  with  confidential  messages.  Instead  of  assuming  one  single  confidential  message 
for  one  of  the  two  users,  we  consider  two  confidential  messages,  and  each  of  the  two 
is  to  be  decoded  by  its  intended  receiver  but  to  be  kept  secret  from  the  unintended 
receiver.  In  addition,  a  common  message  is  transmitted  that  is  to  be  decoded  by  both 
receivers.  We  propose  capacity  out  bounds  for  our  channel  model,  which,  together 
with  a  previously  proposed  inner  bound,  help  establish  the  rate  equivocation  region 
of  several  classes  of  discrete  memoryless  broadcast  channels  with  two  confidential 
messages.  They  include  the  less  noisy,  deterministic,  and  semi-deterministic  broad¬ 
cast  channels.  Furthermore,  by  removing  the  confidentiality  constraint,  the  proposed 
outer  bounds  reduce  to  new  capacity  outer  bounds  for  the  classical  discrete  memory 
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broadcast  channel. 


In  Chapter  3,  we  present  the  so-called  broadcast  channel  with  confidential  and 
public  message  (BCCP)  model  as  an  alternative  to  the  classical  model  of  Csiszar  and 
Korner.  The  difference  lies  in  BCCP’s  more  liberal  treatment  of  the  non-confidential 
message  -  the  requirement  that  the  unintended  receiver  reliably  decode  the  non- 
confidential  message  is  dropped,  which  results  in  an  enlarged  rate  equivocation  region. 
This  is  perhaps  a  more  reasonable  model  than  Csiszar  and  Korner’s  model  where  the 
non-confidential  message  is  required  to  be  decoded  by  both  receivers.  This  BCCP 
framework  is  then  extended  to  systems  where  a  secret  key  is  available  to  the  intended 
transceiver  pair,  the  so-called  secret  key  enhanced  BCCP  model. 

In  Chapter  4,  we  further  study  the  problem  of  secure  communication  over  net¬ 
works.  Particularly,  a  single-source  single-sink  acyclic  planar  network  is  considered, 
where  the  single  source  intends  to  securely  deliver  a  confidential  message  to  the  single 
sink  through  this  network  and  each  link  in  the  network  is  subject  to  non-cooperating 
eavesdropping.  We  develop  an  intuitive  and  efficient  coding  scheme  to  achieve  the 
secrecy.  The  scheme  incorporates,  in  a  natural  yet  creative  way,  the  one-time  pad 
scheme  into  the  Ford-Fulkerson  algorithm  which  was  developed  for  the  celebrated 
Max-flow  Min-cut  theorem.  This  explicit  encoding  and  routing  scheme  leads  to  an 
achievable  rate  equivocation  region  for  the  secure  coding  over  network  model  which 
is  shown  to  be  tight  when  specializing  to  a  network  of  non-overlapping  parallel  links. 

Finally,  we  conclude  in  Chapter  5  by  summarizing  the  main  contributions  of  this 
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thesis  and  discussing  our  future  work. 


1.4  Notations 

In  the  following,  we  introduce  notations  which  will  be  used  throughout  this  thesis. 


Term 

Description 

X 

a  discrete  random  variable 

X 

the  sample  space  of  a  discrete  random  variable  X 

X 

a  realization  of  a  random  variable  X 

Xn 

a  vector  of  random  variables,  with  time  from  1  to  n 

Xi 

a  random  variable  in  time  i 

X  ~  p(x) 

The  probability  mass  function  of  X  is  p(x) 

x~N{h,(j2) 

X  is  Gaussian  distributed  with  mean  ju  and  variance  a2 

H(X) 

entropy  function  of  X 

I(X]Y) 

mutual  information  between  X  and  Y 

c(.) 

Gaussian  channel  capacity,  C  (x)  —  \  log  (1  +  x) 

h{.) 

function,  h{ A)  =  —A  log  A  —  (1  —  A)  log(l  —  A) 

IV 

function  [x]+  =  max{x,  0} 

RV 

random  variable 

SNR 

signal  to  noise  ratio 

BSBC 

binary  symmetric  broadcast  channel 

GWC 

Gaussian  wiretap  channel 

DMBC 

discrete  memorcless  broadcast  channel 

DMBC-2CM 

discrete  memorcless  broadcast  channel  with  two  confidential 

messages  and  one  common  message 

BCCC 

broadcast  channel  with  one  confidential  message 
and  one  common  message 

BCCP 

broadcast  channel  with  one  confidential  message 
and  one  public  message 

Table  1.1:  Notions  used  in  this  thesis. 
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Chapter  2 

Capacity  Bounds  for  Broadcast 
Channels  with  Confidential 
Messages 


In  this  chapter  we  study  a  generalization  of  Csiszar  and  Korner’s  broadcast  channel 
with  confidential  messages.  Specifically,  we  consider  a  two-user  broadcast  channel 
with  one  common  message  and  two  confidential  messages,  one  for  each  receiver.  We 
establish  outer  bounds  to  the  rate  equivocation  region  of  this  channel.  Our  proposed 
outer  bounds,  together  with  a  previously  proposed  achievable  region,  help  estab¬ 
lish  the  rate  equivocation  region  of  several  classes  of  discrete  memoryless  broadcast 
channels  with  two  confidential  messages.  Furthermore,  specializing  to  the  general 
broadcast  channel  by  removing  the  secrecy  constraint,  our  proposed  outer  bounds 
reduce  to  new  capacity  outer  bounds  for  the  discrete  memoryless  broadcast  channels. 
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2.1  Introduction 


In  this  chapter,  we  generalize  Csiszar  and  Korner’s  model  by  considering  discrete 
memoryless  broadcast  channels  where  each  receiver  needs  to  decode  its  own  pri¬ 
vate  message  as  well  as  a  common  message.  We  refer  to  this  model  as  simply  the 
DMBC  with  two  confidential  messages  (DMBC-2CM).  Fig.  2.1  illustrates  the  differ¬ 
ences  among  the  three  models:  Wyner’s  wiretap  channel  model,  Csiszar  and  Korner’s 
model,  and  the  DMBC-2CM  model.  The  DMBC-2CM  model  was  first  studied  by 
Liu  et  al  [21,26]  where,  in  the  absence  of  a  common  message,  the  authors  imposed 
the  perfect  secrecy  constraint  and  obtained  inner  and  outer  bounds  for  the  perfect 
secrecy  capacity  region. 


Figure  2.1:  Variations  to  broadcast  channel  with  confidential  messages 

We  study  capacity  bounds  to  the  rate  equivocation  region  for  the  general  DMBC- 
2CM.  Our  model  generalizes  that  of  [21]  by  including  a  common  message.  More 
importantly,  we  do  not  impose  the  perfect  secrecy  constraint  and  study  instead  the 
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general  trade-off  among  the  rates  for  reliable  communication  and  the  securities  of 
confidential  messages.  Study  of  this  general  model  allows  us  to  unify  many  existing 
results.  We  first  review  the  achievable  rate  equivocation  region  originally  proposed 
in  [27]  that  generalizes  Csiszar  and  Korner’s  rate  equivocation  region  in  [3]  where  only 
a  single  confidential  message  is  to  be  communicated,  Liu  et  a/’s  achievable  rate  region 
under  perfect  secrecy  constraint  [21],  and  Marton  and  Gel’fand-Pinsker’s  achievable 
rate  region  for  the  general  DMBC  [28,29].  We  then  describe  our  proposed  outer 
bounds  to  the  rate  equivocation  region  of  the  DMBC-2CM  which  generalize  existing 
outer  bounds  for  various  special  cases  of  the  DMBC-2CM.  In  particular,  it  reduces  to 
Csiszar  and  Korner’s  rate  equivocation  region  for  the  DMBC  with  only  one  confiden¬ 
tial  message  and  Liu  et  a/’s  outer  bound  to  the  capacity  region  with  perfect  secrecy. 
The  proposed  inner  and  outer  bounds  coincide  for  the  less  noisy,  deterministic,  and 
semi- deterministic  DMBC-2CM,  thus  settle  the  rate  equivocation  region  for  these 
channels.  Furthermore,  in  the  absence  of  secrecy  constraints,  our  proposed  outer 
bounds  specialize  to  new  outer  bounds  to  the  capacity  region  of  the  general  DMBC. 
Comparison  with  other  outer  bounds  proposed  in  [28,30-35]  are  discussed. 

The  rest  of  this  chapter  is  organized  as  follows.  In  Section  2.2,  we  give  the  channel 
model  and  review  relevant  existing  results.  In  Section  2.3,  we  review  an  achievable 
rate  equivocation  region  for  the  DMBC-2CM  and  show  that  it  coincides  with  various 
existing  results  under  respective  conditions.  In  Section  2.4,  we  present  our  outer 
bounds  to  the  rate  equivocation  region  of  the  DMBC-2CM.  We  prove  that  the  outer 
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bound  is  tight  for  the  less  noisy,  deterministic,  and  semi-deterministic  DMBC-2CM. 
We  also  discuss  the  induced  outer  bound  to  the  general  DMBC  and  its  subset  relations 
with  existing  capacity  outer  bounds.  Finally,  we  conclude  in  Section  2.5. 

2.2  Problem  Formulation  and  Previous  Results 

2.2.1  Problem  statement 

A  discrete  memoryless  broadcast  channel  with  confidential  messages  /C  is  a  quadruple 
(X ,p,yi,y2),  where  X  is  the  finite  input  alphabet  set,  W  and  y2  are  two  finite  output 
alphabet  sets,  and  p  is  the  channel  transition  probability  p(yi,y2\x).  We  assume  that 
the  channels  are  memoryless,  i.e., 

n 

p(yi,y% \%n)  =  Y[p(yu,y2i\xi)  (2.1) 

i=  1 

where, 


xn 

=  (a?l,  *  * 

-,xn)exn, 

(2.2) 

yni 

=  (2/11,  • 

■  •,  yin)  e  y?, 

(2.3) 

112 

=  (2/21,  • 

■  •,  ll'ln)  e  y2- 

(2.4) 

Let  Ato  =  {1,2,-  •  • ,  M0 }  be  the  common  message  set,  M.\  =  {1,2,-  •  and 

M.2  =  {1,2,-  •  • ,  M2 }  be  user  1  and  user  2’s  private  message  sets,  and  Wo,  Wi,  W2 
are  the  respective  message  variables  on  the  sets  Xi0,  Xii,  A4 2.  We  assume  stochastic 
encoding  as  randomization  may  increase  secrecy  [3].  A  stochastic  encoder  /  with 
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block  length  n  for  the  channel  /C  is  specihed  by  P{xn\wi,  w2,  wo),  where  xn  G  Xn ) 
w  1  G  Mi,  w 2  G  AI2,  w0  G  A^o  and 

^P(xn|wi,M;2,  w0)  =  1.  (2.5) 

Xn 

Here  P(xn|wi,  tc2,  w0)  is  the  probability  that  the  message  triple  (uq,  w2,  w0)  is  encoded 
as  the  channel  input  xn.  The  two  decoders  are  a  pair  of  mappings 

Pi  '■  yr\  Mi  x  Mo, 

p>2  '■  y?  — t  A^2  X  Mo- 

The  average  probabilities  of  decoding  error  of  this  channel  are  defined  as 

F ffl  =  M  m  M  55  P(WM)  ^  (wi,w0)}\(wi,w2,w0)  sent),  (2.6) 

pen2  =  M  M  M  55  ^({^2(1/2)  ^  (w2,w0)}|(wi,W2,  w0)  sent).  (2.7) 

^  2  0  Wi,W2,W0 

A  rate  quintuple  (Po,  Pi,  P2,  Pei,  Pe2)  is  said  to  be  achievable  if  there  exist  message 
sets  Mi,  M2,  Mo  and  encoder-decoders  (/,  </?i,  <p 2)  such  that  P”,  — >  0  and  Pen2  — >  0, 
where  for  a  —  0, 1,  2, 


1 

lim  -  log  Afa 

n— yoo  n 

=  Ra 

(2.8) 

lim  -H(Wi\Y?) 

n— >00  n 

>  Pei 

(2.9) 

lim  -H(W2\Y?) 

n— >00  fl 

>  Re  2 

(2.10) 

The  rate  equivocation  region  of  the  DMBC-2CM  is  the  closure  of  the  union  of  all 
achievable  rate  quintuples  (Po,  Ri,  R2,  Re  1,  Re 2)-  Our  objectives  in  this  chapter  are  to 
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obtain  meaningful  bounds  to  the  rate  equivocation  region  for  the  DMBC-2CM  and  to 
connect  our  obtained  bounds  with  prior  results  for  various  special  cases  of  the  channel 
model. 

The  DMBC-2CM  model  is  illustrated  in  Fig.  2.2.  We  note  that  in  the  absence 
of  IF 2 ,  the  model  reduces  to  Csiszar  and  Korner’s  model  with  only  one  confiden¬ 
tial  message  [3].  On  the  other  hand,  in  the  absence  of  confidentiality  constraints 
(i.e.,  //(IF7]  |K2n)  and  H(W2\Y{1)),  our  model  reduces  to  the  classical  DMBC  with  two 
private  messages  and  one  common  message  [29]. 


Figure  2.2:  Broadcast  channel  with  two  confidential  messages  W i ,  IF 2  and  one  com¬ 
mon  message  Wq 


Before  proceeding,  we  introduce  the  following  definitions.  Let  Z  =  (U,  Vi,  V2,  X,  Vi,  Y2) 
be  a  set  of  random  variables  such  that  X  G  X,  Yf  G  3d,  Y2  G  y2,  and  the  correspond¬ 
ing  p{yi,y2\x)  is  the  channel  transition  probability  of  the  DMBC-2CM.  Define 

•  Q 1  to  be  the  set  of  Z  whose  joint  distribution  factors  as 

p(u,  ui,  v2,  x ,  2/1,  y2 )  =  p(u,  ui,  v2)p(x\u,  vu  v2)p(yi,  y2\x). 

Thus  any  Z  G  Q\  satisfies  the  Markov  chain  condition  UV\V2  — >•  X  — >  Y{Y2. 


IT 


•  0.2  to  be  the  set  of  Z  whose  joint  distribution  factors  as 


p(u,  vi,  v2,  x ,  y i,  y2)  =  p(u)p(v i,  v2\u)p(x\vl,  v2)p(y i,  y2\x). 

Thus  any  Z  e  Q2  satishes  the  Markov  chain  condition  U  — >  Vj  V2  — >  — >  Tll^- 

•  <23  to  be  the  set  of  Z  whose  joint  distribution  factors  as 

p(u,  ui,  u2,  x,  2/1,  r/2)  =  p('ih)p(u2)p('u|'t;i,  u2)j5(a:|n,  Ui,  v2)p(y1,  y2\x). 

Qs  results  in  the  same  Markov  chain  as  Q\  except  that  V\  and  V2  are  indepen¬ 
dent  of  each  other. 

Clearly,  Q2  C  and  Q3  C  Qj. 

2.2.2  Related  work 

In  this  section,  we  review  several  existing  results  related  to  the  present  work. 

Csiszar  and  Korner  characterized  the  rate  equivocation  region  [3]  for  broadcast 
channels  with  a  common  message  for  both  users  and  a  single  confidential  message 
intended  for  one  of  the  two  users.  Without  loss  of  generality  (WLOG),  we  assume 
that  W2  is  absent  from  our  model.  The  result  is  summarized  below. 

Proposition  1.  [3,  Theorem  1]  The  rate  equivocation  region  1Zck  for  a  DMBC  with 
one  common  message  for  both  receivers  and  a  single  confidential  message  for  the  first 
receiver  is  the  closed  convex  set  consisting  of  those  triples  ( R0 ,  R\ ,  Re )  for  which  there 
exist  random  variables  U  — >  V  — *  X  — »  such  that 

0  <  Re<Ri  (2.11) 
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Re 

< 

I{V ;  Yi\U)  — 

I(V-,Y2\U) 

(2.12) 

Ri  +  Ro 

< 

I(V ;  Yi\U)  + 

min  {/([/;  W), /([/;  Y2)} 

(2.13) 

Ro 

< 

min{/(f/ ;  Yx) 

,i(u-,y2)} 

(2.14) 

We  note  that  the  Markov  chain  condition  in  Proposition  1  can  be  relaxed,  as 
stated  below. 

Lemma  1.  Let  TZ'CK  be  the  convex  closure  of  rate  triples  (R\,  Re,  Ro)  that  satisfy 
(2.11)-(2.1f)  where  the  random  variables  follow  the  Markov  chain:  UV  — *  X  — >  Y{Y2, 
then  TZck  =  TZ'CK. 

Proof.  TZck  Q  TZ'ck  follows  trivially  from  the  fact  that  U  — >  V  — >  X  — >  Y\Y2 
implies  UV  — >  X  — >  Y{Y2.  To  prove  7 Z'CK  Rck,  assume  (Ri,  Re,  R0)  e  7 Z'CK  f°r 
some  UV  — >  X  — >  Y{Y2.  Dehne  U'  =  U  and  V  =  UV,  one  can  verify  easily  that 
(Ri,  Re,  Ro)  satisfies  (2.11)-(2.14)  for  U'  — >  V'  — >  X  — >  Y{Y2,  i.e.,  (Ri,  Re,  R0)  G 
TZck-  Q 

Recently,  Liu  et  al  proposed  an  inner  bound  and  an  outer  bound  to  the  capacity 
region  for  broadcast  channels  with  perfect-secrecy  constraint  on  the  confidential  mes¬ 
sages  [21,26].  The  model  in  [21,26]  is  in  essence  a  DMBC-2CM  without  a  common 
message.  In  their  model,  each  user  has  its  own  confidential  message  that  is  to  be 
completely  protected  from  the  other  user.  The  proposed  achievable  region  and  outer 
bound  are  given  in  Propositions  2  and  3,  respectively. 
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Proposition  2.  [21,  Theorem  4]  Let  Rlmsy-i  denote  the  union  of  all  (Ri,R2) 

satisfying 


0  <  Ri  <  /(Pi;  Y^U)  -  /(Pi;  Y2\V2U)  -  /(Pi;  V2\U) 

(2.15) 

0  <  R,  <  I(V2;  Y2\U)  -  /(VC,;  YWWU)  -  7(11;  V2\U) 
over  all  random  variables  (U,  Pi,  V2,  X,  Yi,  Y2)  G  Q 2.  Any  rate  pair  (Ri,R2)  € 

R'Lmsy-i  is  achievable  for  the  DMBC-2CM  without  a  common  message  and  with 
perfect  secrecy  for  the  confidential  messages,  i.e.,  Rq  =  07  R\  =  Re±,  and  R-2  =  Re2. 

Proposition  3.  [21,  Theorem  3]  An  outer  bound  to  the  capacity  region  for  the 

DMBC-2CM  without  a  common  message  and  with  the  perfect  secrecy  constraint  is 
the  set  of  all  (Ri,R2)  satisfying 

0  <  Ri  <  min{/(Pi;Pi|P)  -/(Pi;P2|P),/(Pi;Pi|P2P)  -/(Pi;P2|P2t/)}  (2.16) 

0  <R2<  min{/(P2;P2|P)  -J(P2;P1|t/),/(P2;P2|P1P)  -/(P.^'UPt/)}  (2.17) 

for  some  (U,  Pi,  V2,  X,  Yi,  Y2)  e  Q2.  We  denote  by  Rlmsy-o  this  outer  bound. 

In  the  absence  of  the  secrecy  constraint,  the  present  model  reduces  to  the  DMBC 
first  introduced  by  Cover  [36].  The  capacity  region  for  a  DMBC  is  only  known 
for  some  special  cases  (see  [37]  and  references  therein).  The  best  achievable  region 
for  the  general  DMBC  is  given  by  Gel’fand  and  Pinsker  in  [29]  which  reduces  to 
Marton’s  achievable  region  [28]  for  the  DMBC  in  the  absence  of  a  common  message. 
Capacity  region  outer  bounds  include  Korner  and  Marton’s  outer  bound  [28],  Liang 
and  Kramer’s  outer  bound  [32,33],  Nair  and  El  Gamal’s  outer  bound  [30,31],  Liang, 
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Kramer  and  Shamai  (Shitz)’s  outer  bound  [34],  and  most  recently  the  outer  bound 
proposed  by  Nair  [35]. 

Marton  in  1979  considered  the  DMBC  in  the  absence  of  a  common  message  and 
proposed  the  following  achievable  rate  region  [28]. 

Proposition  4.  [28,  Theorem  2]  Let  7 Zmt  be  the  union  of  non-negative  rate  pairs 
(i?i,  R2)  satisfying  R\ ,  R2  >  0  and 

Ri  <  I{UVi,  Yi)  (2.18) 

R‘2  <  I(UV2-Y2 )  (2.19) 

R1  +  R2  <  min{/(C7 ;  Yi),  I(U ;  Y2)}  +  I(V\,  Y\\U)  +  I(V2,  Y2\U) 

-/(Ki;K2|t/)  (2.20) 

for  some  (U,  V±,  V2,  X,  Y\,  Y2)  e  Q\.  Then  IZmt  is  an  achievable  rate  region  for  the 
DMBC  without  a  common  message. 

Gel’fand  and  Pinsker  [29]  generalized  Marton’s  model  by  considering  the  DMBC 
with  a  common  message.  The  achievable  rate  region  they  proposed  is  summarized 
below. 

Proposition  5.  [29,  Theorem  1]  Let  IZqp  be  the  union  of  non-negative  rate  triples 
(R0,  Ri,  R2)  satisfying 

Ro  <  min  {I{U-Yf),I{U-Y2)}  (2.21) 

Ri  +  R,  <  I(Vii  Yi\U)  +  min{/(t/ ;  Yi),  I(U ;  Y2)}  (2.22) 
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R-2  +  Ro  <  I(V2',Y2\U)  +  min{/(t/;li),/(t/;  Y2)} 


(2.23) 


R1  +  R2  +  R0  <  mm{I(U ;  Yj,  I(U ;  Y2)}  +  I(Vp,  Yf\U)  +  I(V2]  Y2\U) 


V2\U) 


(2.24) 


for  some  (U,  V\,  V2,  X,  Yi,  Y2)  G  Q\.  Then  Rgp  is  an  achievable  rate  region  for  the 
DMBC. 


In  the  absence  of  a  common  message,  Rgp  can  be  shown  to  be  equivalent  to 
Rmt  [29].  Furthermore,  an  equivalent  definition  of  Rgp  can  be  obtained  by  restricting 
Z  G  <2 2  instead  of  Qi,  i.e., 


Lemma  2.  Define  7 Z'GP  to  be  the  union  of  non-negative  rate  triples  (R0,  R\,  R2) 
satisfying  (2.21)-(2.2f)  with  Z  G  Q2,  then  Rgp  =  R'gp- 


The  proof  is  similar  to  that  for  Lemma  1  and  is  omitted.  Similarly,  Rmt  can  also 
be  equivalently  defined  using  Z  G  0,2- 

Recently,  a  new  achievable  region  was  given  by  Liang  and  Kramer  [32,33],  sum¬ 
marized  in  Proposition  6. 


Proposition  6.  [33,  Theorem  5]  Let  Rlki  be  the  union  of  non-negative  rate  triples 
(R0,  Ri,  Rf)  satisfying 


R1  +  R0  <  /(W;Yi) 


(2.25) 


^2  +  ^0  <  I{V2U)Y2 ) 


(2.26) 


R\  +  R2  +  Ro  <  min{/(C/ ;  Y\),  I(U ;  I2)}  +  I(Vt,  Yi\U)  +  I(V2',  Y2\U) 
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I{Vi\V2\U) 


(2.27) 


Ri  +  R-2  +  2i?0  <  /(l/1t/;r1)  +  /(l/2C/;y2)-/(y1;l/2|t/)  (2.28) 

for  some  (U,  VXl  V2,  X,  Yx ,  Y2)  G  Qi .  T/ien  Rlki  is  an  achievable  rate  region  for  the 
DMBC. 

While  the  expressions  of  IZlki  suggests  that  it  may  potentially  enlarge  the  existing 
achievable  region,  it  was  later  shown  in  [38]  that  this  region  is  actually  equivalent  to 
1Zgp  in  Proposition  5. 

An  earlier  outer  bound  by  Korner  and  Marton  [28,  Theorem  5]  for  the  capacity 
region  of  the  DMBC  is  subsumed  by  several  recent  outer  bounds.  One  of  the  proposed 
outer  bounds  was  by  Liang  and  Kramer  [32,33],  as  summarized  in  Proposition  7. 

Proposition  7.  [33,  Theorem  6]  If  (Ro,  Ri,  R2)  is  achievable,  then  there  exists  Z  e 
Q i  and 

R0  <  min  {/(£7;Yi),/(£7;y2)},  (2.29) 

Ro  +  Ri  <  nVrU-Yf),  (2.30) 

^0  +  ^2  <  I(V2U-Y2),  (2.31) 

R0  +  R,  +  R2  <  /(X;  Y2\VxU)  +  /(W;  YX\U)  +  min{/(£7;  W),  I(U;  Y2)},( 2.32) 

R0  +  R1  +  R2  <  I(X]  Yi\V2U)  +  /(V-y  Y2\U)  +  min{/(t/ ;  W),  I{U ;  K2)}.  (2.33) 

We  denote  this  outer  bound  as  IZlk,  he.,  R-lk  is  the  union  of  non-negative  rate 
triples  (R0,  R\,  R2)  satisfying  (2.29)-(2.33)  over  Z  e  Q1.  Furthermore,  we  can  also 
restrict  the  Markov  chain  condition  to  be  Z  E  Q2,  i.e., 
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Lemma  3.  Define  IZ'LK  to  be  the  convex  closure  of  the  union  of  non-negative  rate 
triples  (Rq,  Ri,  Rf)  satisfying  (2.29)-(2.33)  with  Z  G  Q2,  then  Hlk  =  R-'lk- 

In  [30,31],  another  outer  bound  to  the  capacity  region  of  the  general  DMBC  was 
given  by  Nair  and  El  Garnal,  as  summarized  in  Proposition  8.  This  outer  bound  was 
shown  to  be  strictly  tighter  than  the  Kbrner  and  Marton  outer  bound  [28,  Theorem  5]. 

Proposition  8.  [31,  Theorem  2.1]  If  (R0,  R1,  R2)  is  achievable,  then  there  exists 


Z  e  Q3  and 

R0  <  min{/([7 ;  hi),  I(U ;  Y2)},  (2.34) 

R0  +  R1  <  I(ViU;Yi),  (2.35) 

R0  +  R2  <  I(V2U-,Y2),  (2.36) 

Ro  T  Ri  T  R2  <  I (y2',Y2\V\U)  +  I(ViU;Yi)r  (2.37) 

R0  +  R1  +  R2  <  /(I/1;y1|P2t/)  +  /(I/2t/;y2).  (2.38) 


We  denote  by  IZne  this  new  outer  bound,  i.e.,  IZne  is  the  union  of  nen-negative  rate 
triples  (Ro,  Ri,  R2)  satisfying  (2.3f)-(2.38)  over  Z  e  Q3.  It  was  shown  in  [39]  that, 
in  the  absence  of  a  common  message  (R0  =  0),  7 Zne  remains  invariant  if  we  replace 
Qs  with  Q\ . 

A  more  recent  outer  bound  to  the  capacity  region  for  the  DMBC  was  proposed 
by  Liang,  Kramer,  and  Shamai  (Shitz)  [34],  ,  as  summarized  in  Proposition  9. 
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Proposition  9.  [34,  Theorem  1]  If  (Ro,  R±,  R2)  is  achievable,  then  there  exist  random 
variables  (Wo,  W±,  W2,  V\ ,  V2,  X,  Y\ ,  Y2)  whose  joint  distribution  factors  as 


p(w0)p(wi)p(w2)p(v1,  v2\w0,  Wi,  W2)p(x\v1,  v2,  w0,  Wi,  w2)p(yi,  y2\x) 

(2.39) 

such  that. 

0  Y  Rq  Y 

mm{I(W0-,Y1\V1),I(Wo;Y2\V2)} 

(2.40) 

Ri<I(Wi, 

UIU) 

(2.41) 

R2<I(W2- 

y2\v2) 

(2.42) 

Ro 

+  JR1<min{/(W0W1;y1|l/1) 

,  I(Wi;  Y^WqVM)  +  I(W0V i;  y2|y2)}(2.43) 

Ro 

+  R2Ymm{I(W0W2-Y2\V2) 

,  i(w2;  y2|  ww)  +  i(w0v2- y1|y1)}(2.44) 

Ro 

+  R\ 

+  R2YI(Wi, 

v^wowwn) 

+  i(w0w2v1-y2  \V2) 

(2.45) 

Ro 

+  R\ 

+  R2YI(W2i 

y^wownn) 

+  /(w0w1y2;y1|y1) 

(2.46) 

Ro 

+  Ri 

+  R2YI(W1- 

Y1\W0W2VlV2) 

+  i(w2-  y2|w0yiy2)  +  i(w0v Lv2; 

14X2.47) 

Rq 

+  Ri 

+  R2Y  In¬ 

y2|w0fyiyiy2) 

+  I(Wi;  Y.lWoVn)  +  I(w0v \v2- 

y2)(2.48) 

where  X  is  a 

deterministic 

function  of  (W0,  Wu  W2,  Vu  V2),  and  W0,  Wu  W2 

are  uni- 

formly  distributed. 

We  refer  to  this  new  outer  bound  as  R-lks- 
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2.3  An  Achievable  Rate  Equivocation  Region 


In  this  section,  we  review  an  achievable  rate  equivocation  region  for  the  DMBC- 
2CM,  given  in  Theorem  1,  and  first  proposed  by  Cao  and  Chen  in  [27].  The  coding 
scheme  combines  binning,  superposition  coding,  and  rate  splitting.  For  the  rate 
constraints,  the  binning  approach  in  [40]  is  supplemented  with  superposition  coding  to 
accommodate  the  common  message.  An  additional  binning  is  introduced  for  achieving 
confidentiality  of  private  messages.  We  note  that  this  double  binning  technique  has 
been  used  by  various  authors  for  communications  involving  confidential  messages  (see, 
e.g.,  [21,41]). 

Different  from  that  of  [21],  we  make  explicit  use  of  rate  splitting  for  the  two 
private  messages  in  order  to  boost  the  rates  R\  and  R-2.  We  note  that  this  rate 
splitting  was  implicitly  used  in  [3]  (specifically,  the  proof  of  Lemma  3  in  [3]).  To  be 
precise,  we  split  the  private  message  W1  E  {1,  •  •  -,2ni?1}  into  Wn  E  {1,  •  •  •)2ni?11} 
and  Ww  E  { 1 ,  •  •  -,2ni?10},  and  W2  E  { 1 ,  *  •  .,2nR2}  into  W22  E  {1,  •  •  -t2nR22}  and 
IWo  G  {1,  •  •  -,2nR20},  respectively.  Wn  and  W22  are  only  to  be  decoded  by  their 
intended  receivers  while  W\o  and  W2o  are  to  be  decoded  by  both  receivers.  Notice 
that  this  rate  splitting  is  typically  used  in  interference  channels  to  achieve  a  larger 
rate  region  as  it  enables  interference  cancellation  at  the  receivers.  It  is  clear  that  this 
rate  splitting  is  prohibited  if  perfect  secrecy  is  required  as  in  [21], 

The  achievable  rate  equivocation  region  for  the  DMBC-2CM  is  formally  stated 
below. 
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Theorem  1.  Let  TZj  be  the  union  of  all  non-negative  rate  quintuple  (Rq,  Ri,  R-2,  Re  1,  Re 2) 
satisfying 


Re  1 

< 

Ri 

(2.49) 

Re  2 

< 

R-2 

(2.50) 

Ro 

< 

min {/([/;  y), /([/;  y)} 

(2.51) 

Ri 

+  Ro 

< 

^(W;  Yi\U)  +  mm{I(U ;  y) 

),7'(C/;y)} 

(2.52) 

R2 

+  Ro 

< 

/(y;y|^)  +  mm{/(y  y; 

),  J(C/;L-2)} 

(2.53) 

R\  +  R2 

+  Ro 

< 

/(y;y|c/)  +  /(y;y|t/)- 

-/(y;y|c/) 

+  min{/(f/;y),/(f/;y)} 

(2.54) 

Re  1 

< 

[/(y;  y  |£7)  -  /(y ;  yy  |c/)]+ 

(2.55) 

Re2 

< 

[/(y;y|c/)-/(y;yy|[/)]+ 

(2.56) 

over  all  ( U ,  V\ ,  V2,  X,  y ,  Yf)  e  Q2..  where  [x]+  =  max{x,  0}.  T/ien  TZj  is  an  achievable 
rate  region  for  the  DMBC-2CM. 

The  interpretation  of  the  auxiliary  variables  is  as  follows.  The  auxiliary  variable 
U  represents  all  the  common  information,  i.e.,  the  triple  (Vy0,  W20,  Wo);  W  and  V2 
represent  Wn  and  W2 2  respectively. 

The  region  77/  remains  the  same  if  we  replace  Q2  with  Q1.  Formally, 

Lemma  4.  Define  77)  to  be  the  union  of  all  non-negative  rate  quintuple  (Ri,  R2 ,  Ro,  Re  1,  Re2) 
satisfying  (2.f9)-(2.56)  over  Z  e  Qi,  then  77/  =  7 7). 
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Proof.  The  fact  that  TZj  C  7 Z\  follows  trivially  from  Q 2  C  Q1. 

We  now  show  VfI  C  TZj.  Assume  (R\,  R2,  Rq,  Rei,  Re2)  £  R'j,  he.,  there  exists 
(U,  V\ ,  V2,  X,  Yx ,  Y2)  €  Qi  such  that  (i?i,  R-2,  Rq,  Rei,  Rei)  satisfies  (2.49)-(2.56).  The 
proof  is  completed  by  dehnining  U'  =  U,  V[  =  U\ 1,  and  Vi,'  =  C/V2  and  observe 
that  the  same  (R\,  R2,  Ro,  Rei,  Re2)  satisfies  (2.49)-(2.56)  for  ([/',  V,',  Vj,  X,  Y\ ,  Y2)  <E 
Q2.  □ 

This  achievable  rate  equivocation  region  unifies  many  existing  results  which  we 
enumerate  below. 

2.3.1  Csiszar  and  Korner’s  region 

In  [3],  Csiszar  and  Korner  characterized  the  rate  equivocation  region  for  broadcast 
channels  with  a  single  confidential  message  and  a  common  message. 

By  setting  R2  =  0  and  Re2  =  0  in  Theorem  1,  it  is  easy  to  see  that  IZi  reduces  to 
Csiszar  and  Korner’s  capacity  region  IZck  described  in  Proposition  1. 

2.3.2  Liu  et  al’s  region 

In  [21],  Liu  et  al  proposed  an  achievable  rate  region  for  broadcast  channel  with  con¬ 
fidential  messages  where  there  are  two  private  message  and  no  common  message. 
In  addition,  the  private  messages  are  to  be  perfectly  protected  from  the  unintended 


receivers. 


By  setting  R\  =  Re\ ,  R2  =  Re 2  and  Ro  =  0  in  Theorem  1,  one  can  easily  check  that 
7 Zj  reduces  to  Liu  et  aV s  achievable  rate  region  Rlmsy-i  described  in  Proposition  2. 

2.3.3  Gel’fand  and  Pinsker’s  region 

In  [29],  Gel’fand  and  Pinkser  generalized  Marton’s  result  by  proposing  an  achievable 
rate  region  for  broadcast  channels  with  a  common  message.  If  we  remove  the  secrecy 
constraints  in  our  model  by  setting  7?el  =  0  and  Re 2  =  0  in  Theorem  1,  we  obtain  an 
achievable  rate  region  for  the  general  DMBC,  denoted  by  TZ,  defined  by  (2.51)-(2.54) 
with  U  — >  (Pi,  V2 )  — >  X  —>  (Li,  Y2).  From  Proposition  5  and  Lemma  2,  7Z  =  7 ZGP. 

The  proofs  in  [28,29]  both  use  a  corner  point  approach.  A  binning  approach  was 
used  in  [40]  to  prove  a  weakened  version  of  [28,  Theorem  2],  The  proof  introduced 
in  the  present  chapter,  by  stripping  out  all  confidentiality  constraints,  provides  a 
new  way  to  prove  the  general  achievable  rate  region  of  the  DMBC,  [29,  Theorem  1] 
and  [28,  Theorem  2],  along  the  line  of  [40]. 

2.4  Outer  Bounds 

We  now  present  several  outer  bounds  to  the  rate  equivocation  region  for  DMBC- 
2CM.  Define  IZ01  to  be  the  union,  over  all  Z  e  Qlf  of  non- negative  rate  quintuple 
(R0,  Ru  i?2,  Re i,  Re-i)  satisfying 

Re  1  <  Ri  (2.57) 
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Re  2  <  R‘2  (2.58) 

R0  <  min{/(f/;F1),/(f/;F2)}  (2.59) 

R0  +  Ri  <  I(Vi,  Yi\U)  +  mm{I(U ;  Yi),  /(£/ ;  y2)}  (2.60) 

+  <  /(^nl^  +  mml/^y!),/^;^)}  (2.61) 


R)PRlPR2  <  d{V2]  Y2\ViU)  +  I(Vi,  Y\\U)  +  min{/([7 ;  W),  /(£/;  ^2)}  (2.62) 
i?0  +  i?i  +  i?2  <  /(^;Fi|K2f/)  +  /(^;F2|t/)  +  min{/(?7;F1),/(?7;F2)}(2.63) 
i2e!  <  min{[/(y1;y1|C/)^/(y1;y2|C/)]+, 

[j(yi;  yx|  w)  -  /(yi;  y2|y2f/)]+}  (2.64) 

i?e2  <  mm{[I(V2-Y2\U)-I(V2;Y1\U)}+, 

[/(V^IW)  «/(^;y|^c/)]+}.  (2.65) 

Similarly,  define  R02  and  Rod  in  exactly  the  same  fashion  except  with  Q1  replaced 
by  O2  and  Q3,  respectively.  We  have 

Theorem  2.  Ro\,  R02,  and  Rod  are  all  outer  bounds  to  the  rate  equivocation  region 
of  the  DMBC-2CM. 

Proof.  The  proof  that  R02  and  Rod,  are  outer  bounds  is  given  in  Section  2.6.1.  That 
R01  is  an  outer  bound  follows  directly  from  Lemma  5.  □ 

Lemma  5.  Rod  0  R01  —  Ro2- 

Lemma  5  can  be  established  by  simple  algebra  whose  proof  is  omitted.  While 
Rod  subsumes  both  Rq\  and  R02,  the  latter  expressions  are  often  easier  to  use  in 
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establishing  capacity  results  or  comparing  with  existing  bounds.  For  example,  it  is 
straightforward  to  show  that  IZ02  is  tight  for  Csiszar  and  Korner’s  model  [3],  i.e.,  the 
DMBC  with  only  one  confidential  message. 

Below,  we  discuss  various  implications  of  Theorem  2. 

2.4.1  The  rate  equivocation  region  of  the  less  noisy  DMBC- 
2CM 

For  the  DMBC  defined  in  Section  2.2.1,  channel  1  is  said  to  be  less  noisy  than  channel 
2  [42]  if  for  every  V  ->•  X  ->■  Y,Y2, 

I(V;Y1)>I(V;Y2).  (2.66) 

Furthermore,  for  every  U  — >•  V  — >•  X  — >•  Y\Y2,  the  above  less  noisy  condition  also 
implies 

IiV-Y^U)  >  I(V-Y2\U).  (2.67) 

Using  Theorems  1  and  2,  we  can  establish  the  rate  equivocation  region  for  the  less 
noisy  DMBC-2CM  as  in  Theorem  3. 

Theorem  3.  If  channel  1  is  less  noisy  than  channel  2,  then  the  rate  equivocation  re¬ 
gion  for  this  less  noisy  DMBC-2CM  is  the  set  of  all  non-negative  (R0,  R\,  R2l  Re  1,  Re2) 
satisfying 


<  Ri 

(2.68) 

<  hu-y2) 

(2.69) 
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Rq  +  R\  +  R2 

<  /(T;Ti|C/)  +  /(C/;T2) 

(2.70) 

Re  1 

<  i(v-M\ U)-I(V-Y2\U) 

(2.71) 

Re  2 

=  0, 

(2.72) 

for  some  (U,  V,  X,  Y,  Y2)  such  that  U  ->  V  ->•  X  ->  Y,^. 

Proof.  The  achievability  is  established  by  setting  V2  =  const  in  Theorem  1  and 
using  the  conditions  (2.66)  and  (2.67).  To  prove  the  converse,  we  need  to  show 
that  for  any  rate  quintuple  satisfying  Eqs.  (2.57)-(2.65)  in  Theorem  2,  we  can  find 
(U',V',X,Y1,Y2)  such  that  U'  ->  V'  -£  X  ->  YXY2  and  (2.68)-(2.72)  are  satisfied. 
This  can  be  accomplished  by  using  the  conditions  (2.66)  and  (2.67)  in  Eqs.  (2.59)- 
(2.65)  and  by  defining  U'  =  UV2  and  V'  =  UVXV2  where  (U,  Vu  V2,  X,  YX,Y2)  £  Q2 
are  the  variables  used  in  Theorem  2.  □ 

The  fact  that  Re2  =  0  is  a  direct  consequence  of  the  less  noisy  assumption:  receiver 
1  can  always  decode  anything  that  receiver  2  can  decode. 

2.4.2  The  rate  equivocation  region  of  the  semi-deterministic 
DMBC-2CM 

Theorem  2  also  allows  us  to  establish  the  rate  equivocation  region  of  the  semi- 
deterministic  DMBC-2CM.  WLOG,  let  channel  1  be  deterministic. 

Theorem  4.  If  p(y1\x)  is  a  (0,1)  matrix,  then  the  rate  equivocation  region  for  this 
DMBC-2CM,  denoted  by  IZsd,  is  the  set  of  all  non-negative  (Rq,  R2,  R2,  Re2,  Re2)  sat- 
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isfying 


Re i  <  Ri  (2.73) 

Re  2  <  i?2  (2.74) 

Ro  <  min{/(t/;F1),/(f/;F2)}  (2.75) 

Ro  +  Ri  <  H {Yi \U)  +  min{/ (U ;  Yi) ,  I (U ;  Y2)}  (2.76) 

R0  +  R2  <  7(Y2;  Y2\U)  +  min{/(£7 ;  Yi),  I{U ;  Y2)}  (2.77) 

i?0  +  i?i  +  i?2  <  ^(yi|W)+/(y2;y2|£7)+niin{/(£7;yi),/(£7;y2)}  (2.78) 

Rel  <  H(Y1\Y2V2U)  (2.79) 

Re2  <  [/(y2;y2|t/)-/(y2;yi|c/)]+,  (2.80) 

for  some  (U,  Y1,  V2,  X,  Y1,  Y2)  G  Q2. 


Proof.  The  direct  part  of  this  theorem  follows  trivially  from  Theorem  1  by  setting 

v)  =  y. 

The  proof  is  therefore  complete  by  showing  lZsD-02  Q  Rsd,  where  IZsD-02  is 
the  outer  bound  IZ02  specializing  to  the  semi-deterministic  DMBC-2CM.  That  is,  for 
any  Z  G  Q2  and  (Ro,  Ri,  R2,  i?el,  Re2)  satisfying  (2.57)-(2.65),  we  need  to  show  that 
(Ro,  Ri,  R2,  Rei,  Re2)  also  satishes  (2.73)-(2.80)  when  p(yi\x)  is  a  (0,1)  matrix.  We 
note  that  Eqs.  (2.73)-(2.75),  (2.77),  and  (2.80)  can  be  trivially  established.  That  the 
sum-rate  bound  Eq.  (2.76)  is  satisfied  follows  easily  from  Eq.  (2.60)  and  the  fact 

H(Y1\U)>I(V1-Y1\U).  (2.81) 
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The  sum-rate  bound  for  R0  +  Ri  +  R2  in  Eqs.  (2.62)  and  (2.63)  can  be  re-written  as 


R0  +  R1  +  R2  <  nhn{/(V2;  Y2\V\U)  +  I(V\\ Yi\U) ,  I  (Vi,  Yi\V2U)  +  I(V2;  Y2\U)} 


+  mm{I(U;Y1),I(U;Y2)}.  (2.82) 

Thus  (2.78)  is  satisfied  since 

H^WV^U)  +  I(V2,Y2\U)  >  /(Vi;  Yi\V2U)  + 1  (V2;  Y2\U).  (2.83) 

For  Eq.  (2.79),  we  only  need  to  show  (cf.  (2.64)) 

H(Yi\Y2V2U)  >  I(Vi,Yi\V2U)  —  I(Vi]Y2\V2U).  (2.84) 

We  have 

H(Y1\Y2V2U)  >  IiV^YMU)  (2.85) 

=  /(W;  YMlVzU)  -  /(W;  Y2\V2U)  (2.86) 

>  I(V i;  Y1\V2U)  -  /(W;  Y2\V2U).  (2.87) 

The  proof  of  Theorem  4  is  therefore  complete.  □ 


Similarly,  the  rate  equivocation  region  of  the  deterministic  DMBC-2CM  can  be 
established  as  follows. 

Theorem  5.  If  p(yi\x)  and  p(y2\x)  are  both  (0,1)  matrices,  then  the  rate  equivoca¬ 
tion  region  for  this  deterministic  DMBC-2CM  is  the  set  of  all  (R0,  Ri,  R2,  Rei,  Re2) 
satisfying 

0  <  Re i  <  Ri  (2.88) 
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0 

< 

Re  2  <  7?2 

(2.89) 

0 

< 

i?o<min{/(f/;F1),/(f/;F2)} 

(2.90) 

Rq 

+  R\ 

< 

HfY\\U)  +min{/(C/;  T'i),  J(f/;  F2)} 

(2.91) 

Rq 

+ 

< 

i7(r2|C/)  +min{/(£7;  T'i),  /([/;  h2)} 

(2.92) 

& 

o 

+ 

+ 

< 

i7(Yiy2|C/)  + 

min{/(£7;  Y,),  I(U;Y2)} 

(2.93) 

Re  1 

< 

tfOhlw) 

(2.94) 

Re  2 

< 

(2.95) 

for  some  (U,  Yh  Y2,  X,  Yu  Y2)  G  Q2. 

Proof.  The  direct  part  of  this  theorem  follows  trivially  from  Theorem  4  by  setting 
K2  =  Y2. 


To  establish  the 

converse,  we  note  that 

H(Y2\U) 

> 

I(V2-,Y2\U), 

(2.96) 

H(Yi\Y2U) 

> 

H^WY^U), 

(2.97) 

H(Y2\Y-JJ) 

> 

I(V2]Y2\U)  -  Ky^Y^U), 

(2.98) 

H{Y\Y2\U) 

= 

H(Yi\Y2U)  +  H(Y2\U) 

>  H(Y1\Y2V2U)  +  H(Y2\V2U)  -  H{Y2\V2U)  +  H{Y2\U) 

>  H(Yi\V2U)  +  I(V2;  Y2\U),  (2.99) 


Thus  the  right-hand  side  of  Eqs.  (2.77)-(2.80)  in  Theorem  4  are  maximized  by  setting 
V2  —  Y2.  This  completes  the  converse  proof  of  Theorem  5.  □ 
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We  have  the  following  table  about  the  classes  of  broadcast  channel  whose  capacity 


is  known  for  general  broadcast  channel  and  also  DMBC-2CM. 


DMBC 

DMBC-2CM 

Inner  bound 

V 

\/ 

Outer  bound 

V 

\/ 

Capacity  of  More  capable  channel 

V 

? 

Capacity  of  Less  noisy  channel 

V 

a/ 

Capacity  of  Deterministic  channel 

\/ 

a/ 

Capacity  of  Semi-Deterministic  channel 

V 

Capacity  of  Ri  =  0  or  R2  =  0 

'J 

\ / 

Table  2.1:  The  comparison  of  the  known  results  of  DMBC  and  DMBC-2CM. 

2.4.3  Outer  bound  for  the  DMBC-2CM  with  perfect  secrecy 

By  setting  Rq  —  0,  Re\  =  R\  and  Re 2  =  R2  in  Theorem  2,  we  obtain  outer  bounds 
for  the  DMBC-2CM  with  perfect  secrecy,  denoted  respectively  by  lZps-01,  Hps-02, 
and  IZps-03  for  Z  G  Qi,  Z  G  Q2,  and  Z  G  Q3.  Clearly, 

Tips -01  =  Tlps-02  Z  IZps-od,  (2.100) 

In  addition,  from  Proposition  3,  we  have 

Tips  -02  —  Ulmsy-o ■  (2.101) 
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i.e. ,  IZps-02  coincides  with  Liu  et  ad s  outer  bound  in  Proposition  3.  Finally,  all  these 
outer  bounds  are  tight  for  the  semi-deterministic  DMBC-2CM  with  perfect  secrecy. 

2.4.4  New  outer  bounds  for  the  general  DMBC 

Specializing  Theorem  2  to  the  general  DMBC,  i.e,  setting  Rei  =  Re2  —  0,  we  obtain 
the  following  outer  bounds  for  the  general  DMBC. 

Theorem  6.  Define  TZbc-oi  to  be  the  union,  over  all  Z  e  Q\,  of  non-negative  rate 
quintuple  (R0,  Ri,  R2)  satisfying 

Ro  <  min  {I{U-Yf),I{U-Y2)}  (2.102) 

Ro  +  Ri  <  I(Vi,  Y\\U)  +  min{/([7 ;  Yf),I(U ;  Y2)}  (2.103) 

R0  +  R2  <  I(V2',  Y2\U)  +  min{/([/ ;  Y\),I(U ;  Y2)}  (2.104) 

Ro  T  R\  ~\~  R2  <  /(^2;y2|W)  +  /(^i;i"i|^)  +  miii{/(£/;y1),/(£/;y2)X2.105) 

Ro  +  R!  +  R2  <  I(Vi,  Yi\V2U)  +  I(V2;  Y2\U)  +  min{/(f/ ;  Yfi),I(U ;  T2)j(2.106) 

Then  TZbc-oi  constitutes  an  outer  bound  to  the  capacity  region  for  the  DMBC. 

One  can  establish  in  a  similar  fashion  two  other  outer  bounds  for  the  general 
DMBC,  denoted  by  1Zbc-02  and  TZbc-oo,  by  replacing  Qi  in  Theorem  6  with  Q2 
and  Q:j,  respectively.  Similar  to  Lemma  5,  we  have 

R-bc-oz  C  1Zrc-o\  =  R-bc-02-  (2.107) 

Remark  1.  It  is  interesting  to  observe  that  the  inequalities  of  our  outer  bound  IZbc 
are  all  identical  to  those  of  the  existing  inner  bound  [29],  described  in  Proposition  5, 
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except  for  the  bound  on  Ro  +  R\  +  R2,  for  which  there  is  a  gap  of 

7  =  min{/(Vi;  V2\Y1U),  I(V p,  V2\ Y2U)}.  (2.108) 

Remark  2.  It  is  easy  to  show  that  1Zbc-02  subsumes  the  outer  bound  IZlk  proposed 
in  [33,  Theorem  6],  by  comparing  Eqs.  (2.103)-(2.10f)  with  Eqs.  (2.30)-(2.31). 

Remark  3.  The  new  outer  bound  Rbc-oz  is  also  a  subset  of  the  outer  bound  region 
R-ne  proposed  in  [31,  Theorem  2.1],  as  described  in  Proposition  8.  More  precisely, 
we  have 

Lemma  6.  Rbc-oz  Q  Rne,  where  the  equality  holds  when  1)  Ro  =  0;  or  2)  R.\  =  0; 
or  3)  R2  =  0. 

Proof.  By  simple  algebra,  one  can  show  Rbc-os  E  1ZNE.  The  fact  that  Rbc-oz  = 
Rne  when  R0  =  0  can  also  be  verified  by  direct  substitution. 

We  now  prove  the  equivalence  under  R2  —  0,  and  the  case  for  Ri  =  0  can  be 
established  by  index  swapping.  With  R2  =  0,  Eqs.  (2.102)-(2.106)  of  Rbc-oz  can  be 
easily  shown  to  be  equivalent  to 

Ro  <  min{/([/;W),/(f/;F2)},  (2.109) 

^0  +  ^1  <  Yi\U)  +  mm{I(U ;  li),  I(U ;  Y2)},  (2.110) 

We  note  this  is  precisely  the  capacity  region  for  the  DMBC  with  degraded  message 
set  [3,  Corollary  5]. 

With  R2  =  0,  1Zne  in  Proposition  8  reduces  to 

Ro  <  min{/([/ ;  li),  /([/;  Y2)},  (2.111) 


38 


R0  +  Ri  <  /(W;y), 


(2.112) 


Ro  +  Ri  <  I{V1]Y1\V2U)  +  I{UV2-,Y2).  (2.113) 

Apparently  TZbc-os  Q  R-ne,  and  it  remains  to  check  R-ne  Q  R-bc-oz-  As¬ 
sume  (Rq,Ri)  G  IZne  and  (U,  Vx,  V2,  X,  y ,  Y2)  G  <23  are  the  variables  such  that 
Eqs.  (2.111)-(2.113)  are  satisfied.  Consider  three  cases  for  analysis. 

1.  I(U;Yi)  <  I(U;Y2).  The  proof  of  (R0,  R\)  G  TZbc-03  is  trivial. 

2.  /([/;  y)  >  I(U-  Y2)  and  I{V2U-  Yx)  >  I{V2U ;  Y2). 


Define  V[  =  V1,U'  =  UV2.  From  (2.111), 

R0  <  min{/(C/ ;  Yi),  I(U ;  Y2)}  (2.114) 

<  mm{I (UV2;  Yi),  I(UV2;  Y2)}  (2.115) 

=  min  {/([/';  Fi), /([/';  y2)}  (2.116) 

From  (2.113), 

R0  +  R1  <  I(Vi;Yi\UV2)  +  I(UV2;Y2)  (2.117) 

=  I{V[]  Y\\U')  +  I(U'\  Y2)  (2.118) 


Thus  (Ro,R2)  also  satisfies  (2.109)  and  (2.110)  for  U'V[  — *  X  — >  Y{Y2. 

3.  UU-  y)  >  /([/;  y2)  and  /(F2C/;  y)  <  J(\W;  Y2). 

For  this  case,  we  can  always  find  a  function  g(-)  such  that 

nug{y2)- y)  =  /(c/<?(y>);  y).  (2.119) 
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Define  V(  =  V\ ,  U'  =  U  g(V2)  and  we  can  verify  that  (Ro,  R±)  satisfies  (2.109) 
and  (2.110)  for  U'V{  -t  X  Y,Y2. 

The  above  argument  completes  the  proof  of  Lemma  6. 

□ 

Note  that  the  conditions  in  Lemma  6  are  only  sufficient  conditions,  i.e.,  there 
may  be  other  instances  when  the  two  bounds  are  equivalent.  It  is  also  possible  that 
IZbc-os  =  Rne  though  we  have  not  been  successful  in  proving  (or  disapproving)  it. 

Remark  4.  One  can  easily  verify  that  the  outer  bound  proposed  in  [34],  Rlks  in 
Proposition  9,  subsumes  all  the  above  outer  bounds.  To  summarize,  we  have 

Rlk 

Rlks  f  Rbc—03  T  \  (2.120) 

|  Rne 

It  remains  unknown  if  any  of  the  above  subset  relations  can  be  strict  or  not. 

The  fact  that  Rlks  subsumes  existing  outer  bounds  can  be  attributed  to  the  way 
auxiliary  random  variables  are  defined  in  [34]-  By  further  splitting  auxiliary  random 
variables  and  isolating  those  corresponding  to  the  message  variables,  one  can  keep  the 
terms  in  the  rate  upper  bounds  which  are  otherwise  dropped  if  only  three  auxiliary 
variables  are  used  as  in  Theorem  2  or  [31],  Finally,  we  remark  that  the  approach 
in  [34],  modified  sightly  by  relaxing  the  constraint  that  the  codeword  be  a  deterministic 
function  of  the  auxiliary  random  variables,  can  be  adopted  to  the  problem  involving 
secrecy  constraint  in  a  straightforward  manner  to  obtain  a  new  outer  bound  to  the 
rate  equivocation  region  for  the  DMBC-2CM. 
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Remark  5.  Most  recently,  the  outer  bound  IZne  is  further  improved  in  [35]  by  im¬ 
posing  an  extra  constraint  on  the  auxiliary  random  variables 

I(Vu  V2\ Y.U)  =  /(yl5  V2\ Y2U).  (2.121) 

This  equality  comes  from  the  way  the  auxiliary  random  variables  are  defined  within  the 
outer  bound  proof,  and  thus  it  is  also  applicable  to  our  outer  bound  IZbc-oz-  If  this 
extra  condition  is  imposed  on  both  IZbc-os  and  IZne,  then  the  equivalence  of  these 
two  outer  bounds  can  be  easily  established.  The  obtained  outer  bound  [35,  Lemma 
1]  by  imposing  this  extra  constraint  is  shown  to  subsume  all  the  above  outer  bounds 
IZne,  IZlk,  IZbc-oz,  and  IZlks- 

2.5  Summary 

In  this  chapter,  we  proposed  several  outer  bounds  for  the  rate  equivocation  region 
of  discrete  memoryless  broadcast  channels  with  two  confidential  messages  (DMBC- 
2CM).  Together  with  a  previously  proposed  inner  bound,  the  proposed  outer  bounds 
settle  the  rate  equivocation  region  of  the  less  noisy,  deterministic,  and  semi-deterministic 
DMBC-2CM.  In  the  absence  of  the  equivocation  constraints,  the  proposed  outer 
bounds  reduce  to  outer  bounds  for  the  general  broadcast  channel.  General  subset 
relations  with  other  known  outer  bounds  were  established. 
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2.6  Appendix 


2.6.1  Proof  of  the  outer  bounds  in  Theorem  2 

We  only  prove  IZ02  and  IZ03  are  outer  bounds  in  this  section.  The  proof  of  Theorem  2 
is  complete  by  the  fact  that  TZqi  =  ^02  (cf.  Lemma  5). 

We  first  define  the  following  notations/quantities.  All  vectors  involved  are  as¬ 
sumed  to  be  length  n. 


xi  =  (2.122) 

x*  =  (Xir--,Xn),  (2.123) 

n 

£1  =  ^/(y2m;Tn \Ytlwo),  (2-124) 

i=  1 
n 

St  =  ^/(y^Yaly^Wo),  (2.125) 

i=  1 


and  (S2,  S2),  (S3,  S3),  (S4,  S4)  are  analogously  defined  by  replacing  Wo  with  IT  oily , 
W0W2  and  W0WiW2  in  Eqs.  (2.124)  and  (2.125),  respectively.  In  exactly  the  same 
fashion  as  in  [3,  Lemma  7],  one  can  establish,  for  a  =  1,2,  3, 4, 

Sa  =  S;.  (2.126) 

We  begin  by  Fano’s  Lemma, 

H(WoWx\Y?)  <  nen, 

H{W0W2\Y2n)  <  nen. 
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where  en  — >  0  as  n  — >  oo 

.  Eqs.  (2.57)  and  (2.58)  follow  trivially  from 

0  <  H(W!\Y2n)  <  HiWj), 

(2.127) 

0  <  H(W2\Y?)  <  H(W2). 

(2.128) 

Next  we  check  bound  for  Rq. 

nR0  =  H(W0 )  = 

I(W0-,Y?)  +  H(W0\Y?) 

< 

n 

J]/(Wo;ky  Ytl)  +  nen 

1=1 

(2.129) 

= 

n 

J](/(fE0 Yt1-  Yu)  -  /(y/-1;  Yu))  +  nen 

1=1 

(2.130) 

< 

n 

^(/(w0y1<_1y2i+1;  yu)  -  /(y2m;  y^y^Wo))  + 

i=  1 

716^2.131) 

= 

n 

Y  IiWoYt'Yt1;  Yu)  -  Ex  +  nen 

1=1 

(2.132) 

< 

n 

YT(W°  Yt'Yt'-iYuj  +  nen 

i=l 

(2.133) 

(2.134) 

Similarly, 

TlR.Q 

n 

<  Y  nWoYr'Y^1;  Y2l)  -E(  +  nen 

1=1 

(2.135) 

n 

<  YT(W°  Yt'Yt'lY^+nen 

i=  1 

(2.136) 

Therefore 

(  n  n  ^ 

nRo  <  min  l  Y  I{WQYt'Y?'\ Yu),  Y  I{W0Y^Y^\ Y2i)  l  +  nen. 

1  i=  1  i=  1  J 

(2.137) 
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Consider  the  sum  rate  bound  for  R0  +  Ri. 


n(R0  +  i?i)  =  HiWoWi)  =  H{W0)  +  if  (Wi|W0)  (2.138) 

=  if  (Wo)  +  f  (Wi;  Y?\W0)  +  HiWilYfWo)  (2.139) 
<  H(W0)  +  I(W1-Yln\W0)  +  nen  (2.140) 

where 

I(Wi,Y?\W0)  (2.141) 

n 

=  ^IiW.-YulY^Wo)  (2.142) 

i=  1 
n 

=  ^WiY 2i+1;  YulYf-'Wo)  -  I(Y*+1-  ^l^-'WWi))  (2.143) 

i=l 

n 

=  ^(/(wi;  Yiiiyr^+'Wo)  +  /(y2m;  Yiiiyr'wb) 

i=l 

-f  (y2i+1;  yuiyr'WoWO)  (2.144) 

n 

=  Y,  J(^b  yulyr'^+'Wo)  +  Si  -  E2.  (2.145) 

i=l 

Combine  (2.132),  (2.140),  and  (2.145),  we  have 

n  n 

n(R0  +  Ri)<Y  IiWoYt'Yt1^)  +  ^  f(Wi;  y^y/-1^1^)  -  S2  +  2 nen. 
1=1  1=1 

(2.146) 


On  the  other  hand,  combining  (2.135),  (2.140),  (2.145),  and  (2.126)  yields 

n  n 

n(R0  +  Ri)<Y  HWoY^Yt1',  Y2l )  +  ^  f(Wi;  Y^Yi^Y^Wo)  -  S2  +  2ne„. 

i=l  i=l 

(2.147) 


Thus, 


n(R0  +  R,\ )  <  min 


n.).E/(Hw_1h+1; 

i=l 
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+  Y  I(Wi,  Y^Yr^Wo)  -  S2  +  2 nen  (2.148) 

2= 1 

{n  n 

Y  KWoYr'Yt1]  Yu),  Y  I(W0YrlYt]]  Y2i) 

i=  1  i=  1 

n 

+  ^  J(Wl5  yiilyr'^Wo)  +  2nen  (2.149) 

i=  1 

In  an  analogous  fashion,  we  can  get 


n(i?0  +  R2)  <  min  ^  Y  liWoYf'Y?1',  Yu),  Y  I{WQYf'Y?'\ Y* 

l  2=1  2=1 

n 

+  ^  /(wi;  yaiiyr'y^Wo)  -  s3  +  2  nen  (2.150) 

2=1 

{n  n 

Y  I{W»YtlYi+1-  Yu),  Y  I(W0Yr'Ytl;  y2j 

2=1  2=1 

n 

+  ^  I(Wu  Y^Yt'Yt'Wo)  +  2nen  (2.151) 

2=1 

Consider  the  sum  rate  bound  for  R0  +  Ri  +  R2. 


n(R0  +  i?i  +  R2)  =  if(W0Wi)  +  H(W2\W1W0)  (2.152) 

=  h{wqw1)  +  i(w2- y2n|Wi,  w0)  +  if  (w2|y2nw0Wi)(2.i53) 

<  HiWoWj  +  f(W2; y2n|VhiWo)  +  nen,  (2.154) 

n(R0  +  R,  +  R2)  =  H(W0W2)  +  H{Wl\W2Wo)  (2.155) 

=  H(W0W2)  +  I(Wu  Y?\W2W0)  +  H{Wi\Y?W0W2)  (2.156) 

<  H(W0W2)  +  I(Wi,  Y?\W2W0)  +  nen.  (2.157) 

Following  similar  procedure  as  in  (2.142)-(2.145),  we  can  obtain 

n 

I(W2 ;  Y?\Wu  Wo)  =  Y  I{W2-  Y^Yt^WoW,)  +  Y*2-  Y*4.  (2.158) 
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I(Wi\Y?\W2,Wq)  =  Y,I(Wi’Y^Yt1YtlwoW2)  +  V3-E4,  (2.159) 

i=  1 

Combine  (2.148),  (2.154),  (2.158),  and  (2.126),  we  get 

{n  n 

Y  /(w0y1i-1y2i+1;  no,  ^  i(w0YrxYi+l- y2, 

2=1  i= 1 

n  n 

+  Y  IiWr- Y^Yt'Y?'WQ)  +  Y  J(W2;  Y^Y^Y^WqW^ 


i— 1 

+3nen. 


2=1 


(2.160) 


Alternatively,  combining  (2.150),  (2.157),  (2.159),  and  (2.126)  yields 

{n  n 

Y  HWoYt'Yt1-,  no,  ^  /(Won<_1ni+1;  n 

i= 1  i=l 

n  n 

+  ^  J(W2;  y2i|n_1n+1^o)  +  ^  I(Wi;  Y2i\Y*-1Y*+1W0W2) 


n 


i=i 

+3  nen. 


2=1 


(2.161) 


We  now  consider  the  equivocation  rate  bound. 


Re  1  <  HiW^Y?)  (2.162) 

=  i7(Wi|y2nWo)  +  /(Wi;Wo|y2n)  (2.163) 

<  HiWilWo)  -  I(Wi,  Y?\W0)  +  H(W0\Y 2n)  (2.164) 

=  IiW^lWo)  -  IiW^lWo)  +  H^Y^Wo)  +  H(W0\Y^)  (2.165) 

<  /(Wl5  ITIlCo)  -  HWi,  Y?\W0 )  +  2ne„,  (2.166) 

Aei  <  //(iyi|y2n)  (2.167) 

=  H(Wi|y2nw0iy2)  +  i(w1’,w0w2\y?)  (2.168) 

<  h(w1\w0w2)  -  i(Wi;  y?\w0w2)  +  h(w0w2\y. 2n)  (2.169) 
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=  i(Wi,  y?\wqw2)  -  i{wd  y2n|ww2)  +  h(w1\y?w0w2) 


+H(W0W2\Y2n) 


(2.170) 


<  /(Wi;  Y?\WqW2)  -  I(W i;  y2n|WW2)  +  2nen..  (2.171) 


Of  the  terms  involved  in  (2.166)  and  (2.171),  only  I(Wi,  Y2\Wq)  and  I(W\\ Y.2\WqW2) 


have  yet  to  be  determined.  Similar  to  (2.142)-(2.145),  we  can  get 

n 

I(W1]Y^\W0)  =  ^/(Wi;yM|  YtlYi+lW0)  +  YX-Y*2l  (2.172) 

2=  1 
n 

I(Wi,Y2n\W0W2)  =  W2)  +  Y*3-Y*4.  (2.173) 

2=1 

Therefore  we  get 


Re  1 


Rel 


< 


< 


Y  I(Wi,  Y^Yf-'Yt'Wo)  -  Y  W;  ^l^r1^1^)  +  2ne^.l74) 

2=1  2=1 


55  I(Wi;  Yu\Yr]Y*+1W0W2)  -  Y  HWi)  Y2i\Yt1Yt1W0W2) 


2=1  2=1 
+2?T,6n. 


(2.175) 


Bounds  on  Re2  are  analogously  obtained: 


Re  2 


Re  2 


< 


< 


55  J(W2;  y2i|ni_1^+1^o)  -  51  J(W2;  yiilyr1^1^)  +  2ne$.176) 
2=1  2=1 


55  /(w2;  y2i|yi<_1y2i+1w0Wi)  -  55  /(w2;  yuiyr'yj+'iw) 


2=1  2=1 

+2726n. 


(2.177) 


Let  us  introduce  a  random  variable  J,  independent  of  WoW\W2XnY^Y2  ,  uni¬ 


formly  distributed  over  {1,  •  •  •  ,  n}.  Set 

IJ  =  W0Y{J-'Y2J+\l,  V,  =  W,U,  V2  =  W2U, 
X  4  Xj,  Y1  4  Yu,  Y2  4  y2J. 
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Substituting  these  definitions  into  Eqs.  (2.137),  (2.149),  (2.151),  (2.160,  (2.161),  and 
(2. 174)- (2. 177),  we  obtain,  through  standard  information  theoretic  argument,  the 
desired  bounds  as  in  Eqs.  (2.57)-(2.65).  The  memoryless  property  of  the  channel 
guarantees  U  — >■  V\V2  — >  X  — *  Y\Y2.  This  completes  the  proof. 

To  prove  'R-o?,  is  also  an  outer  bound,  we  follow  exactly  the  same  procedure  except 
that  auxiliary  random  variables  are  defined  differently.  Specifically, 

U  =  W0  Y(~ 1  Y^+ 1 J,  lb  =  Wu  V2  =  W2. 
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Chapter  3 

Broadcast  Channels  with 
Confidential  and  Public  Messages 


We  consider  in  this  chapter  a  variation  of  Csiszar  and  Korner’s  model  of  broadcast 
channels  with  confidential  messages.  The  transmitter  sends  both  a  confidential  mes¬ 
sage  and  a  non-confidential  message  (herein  termed  as  public  message)  to  the  intended 
receiver.  While  the  unintended  receiver  should  be  kept  ignorant  from  the  confiden¬ 
tial  message,  we  do  not  impose  the  requirement  that  the  public  message  needs  to 
be  perfectly  recovered  by  the  unintended  receiver.  This  more  liberal  treatment  of 
the  non-confidential  message  is  perhaps  a  more  reasonable  model  than  Csiszar  and 
Korner’s  model  where  the  non-confidential  message  is  required  to  be  decoded  by  both 
receivers.  A  single-letter  characterization  of  the  achievable  rate  equivocation  region 
of  this  model  is  given,  and  this  result  is  then  extended  to  the  case  where  an  extra 
secret  key  is  available  to  the  intended  transceiver  pair. 
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3.1  Introduction 


Csiszar  and  Korner  [3]  studied  a  general  broadcast  channel  with  two  receivers.  The 
transmitter  communicates  a  confidential  message  to  receiver  1,  of  which  receiver  2 
shall  be  kept  as  ignorant  as  possible.  In  addition,  a  common  message  is  transmitted 
which  is  to  be  recovered  by  both  receivers. 

Apparently,  Csiszar  and  Korner’s  model  conforms  to  the  classical  broadcast  chan¬ 
nel  model  with  both  common  message  and  private  message  [36],  with  the  additional 
secrecy  constraint  imposed  on  receiver  2.  The  inclusion  of  common  message  comes 
from  the  classical  model  for  broadcast  channels;  however,  its  meaningfulness  in  certain 
security  applications  is  questionable,  that  is,  the  requirement  that  receiver  2  needs 
to  decode  the  common  message  might  not  be  justified  in  many  real  applications.  Of¬ 
ten  times,  a  transmitter  needs  to  transmit  multiple  messages  to  a  receiver,  some  of 
which  need  to  be  kept  confidential.  However,  for  the  messages  that  do  not  need  to 
be  kept  confidential,  it  would  be  overly  restrictive  to  require  an  unintended  receiver 
to  completely  recover  them. 

Therefore,  in  the  present  chapter,  we  take  on  a  more  practical  viewpoint  and  study 
a  variation  of  Csiszar  and  Korner’s  model.  We  term  this  broadcast  channel  with 
confidential  and  public  messages  (BCCP).  Whereas  the  confidential  message  shall  be 
kept  secret  from  any  uninteneded  receivers,  the  public  message  is  only  required  to 
be  decoded  by  the  intended  receiver.  We  do  not  impose  any  constraint  on  whether 
the  unintended  receiver  shall  decode  the  public  message  or  not,  even  if  there  is  no 
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incentive  to  protect  the  public  message.  As  such,  we  use  public  instead  of  common 
message  to  differentiate  from  that  of  the  classical  model  of  Csiszar  and  Korner.  For 
easy  reference,  we  will  use  BCCC  (broadcast  channel  with  confidential  and  common 
messages)  to  refer  to  Csiszar  and  Korner’s  original  model  where  the  non-conhdential 
message  is  to  be  decoded  by  both  receivers. 

Similar  to  the  previous  chapter,  we  illustrate  in  Fig.  3.1  the  differences  among  the 
three  models,  Wyner’s  wiretap  channel  model,  Csiszar  and  Korner’s  BCCC  model, 
and  our  present  BCCP  model.  As  shown  in  Fig.  3.1,  BCCP  requires  both  confidential 
message  S  and  public  message  T  to  be  reliably  recovered  at  legitimate  receiver  (Alice). 
For  the  unintended  receiver  (Eve),  we  only  impose  a  constraint  on  the  equivocation 
rate  with  respect  to  S,  whereas  in  Csiszar  and  Korner’s  model,  the  unintended  receiver 
also  needs  to  decode  the  common  message.  A  single  letter  characterization  of  the  rate 
equivocation  region  is  derived  for  BCCP.  Our  result  indeed  indicates  that  BCCP  can 
achieve  better  secrecy  than  BCCC  in  the  sense  that  given  the  same  confidential  and 
non-conhdential  rates,  BCCP  achieves  strictly  larger  equivocation  rate  than  BCCC. 

The  rest  of  the  chapter  is  organized  as  follows.  Section  3.2  gives  the  problem 
formulation  and  related  work.  The  main  result  of  BCCP  is  stated  in  Section  3.3, 
followed  by  discussions  about  major  implications  of  the  main  result.  The  proof  is 
given  in  Section  3.4.  Section  3.5  discusses  its  extended  version,  secret  key  enhanced 
BCCP  model.  We  conclude  our  work  in  Section  3.6. 
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Wyner’s  model 

Csiszar  and  Korner’s  model 

BCCP  model 

Bob  ( S ) 

Bob  ( S ,  T) 

Bob  (5,  T ) 

X 

X 

X 

y  ”  z 

Y  Z 

Y  Z 

Alice  (S)  Eve  ( S ) 

Alice  (5,  T)  Eve  (S,T) 

Alice  (5,  T)  Eve  (5) 

Figure  3.1:  Variations  to  the  wiretap  channel 

3.2  Problem  Formulation  and  Related  Work 

In  this  section,  we  give  a  precise  statement  of  the  problem  that  we  stated  informally 
in  the  previous  section  and  then  summarize  our  results.  Some  of  the  notions  and 
definitions  follow  closely  that  of  [3].  Fig.  3.2  gives  an  illustration  of  the  BCCP  model 
we  study  in  this  chapter. 


Figure  3.2:  Broadcasting  confidential  message  S  and  public  message  T. 


Definition  1.  A  stochastic  encoder  f  :  S  x  T  — >  Xn  with  block  length  n  for  the 
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BCCP  is  specified  by  a  matrix  of  conditional  probabilities  f(xn\s,t),  where  S  and  T 
are  arbitrary  sets  representing  the  possible  confidential  messages  and  public  messages, 
and  f(xn\s,  t )  is  the  probability  that  the  message  pair  (s,  t)  is  encoded  as  channel  input 
xn. 

In  Definition  1,  we  assume  stochastic  encoding  as  randomization  may  increase 
secrecy  [3]. 

Definition  2.  The  encoder- decoder  (/,  ip,  if)  gives  rise  to  (■ n ,  e) -transmission  over  the 
BCCP  iff  for  every  s  G  S,  t  e  T,  decode  p  gives  the  correct  ( s,t )  with  probability 
>  1  -  e. 

In  Definition  2,  unlike  [3],  we  do  not  impose  any  requirement  for  receiver  2  to 
recover  T  . 

Definition  3.  (Ri,  Re,  Rp)  is  an  achievable  rate  triple  for  the  BCCP  iff  for  every 
e  >  0  there  exists  a  sequence  of  message  sets  Sn ,Tn  and  encoder- decoder  (f,tp,if) 
giving  rise  to  (n,  e)  -transmission,  such  that 


lim  —  log  \\Sn\\ 

—  Ri, 

(3.1) 

n—>  oo  Tl 

lim  —  log  T" 

=  Rp, 

(3.2) 

n—>  oo  Tl 

- H(Sn\Zn ) 

>  Re  -  e, 

(3.3) 

n 


where  H(Sn\Zn )  is  evaluated  under  the  assumption  that  the  pair  of  random  messages 
(. Sn,Tn )  is  uniformly  distributed  over  Sn  x  Tn.  The  set  of  achievable  rate  triples  will 
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be  denoted  by  IZbcp-  U  (Pi,  Re,  RP)  G  Pbcp,  we  say  that  R±  and  Rp  are  achievable 
confidential  and  public  message  rates  at  equivocation  rate  Re. 

Clearly,  the  closely  related  work  is  [3] ,  where  Csiszar  and  Korner  characterized  the 
rate  equivocation  region  for  BCCC,  i.e.,  a  broadcast  channel  with  a  common  message 
for  both  receivers  and  a  single  confidential  message  intended  for  the  intended  receiver. 

We  will  revisit  the  idea  of  random  coding  over  noisy  channel  (referred  as  to  [3,  Lemma 
2]),  which  is  stated  below. 

Proposition  10.  If  U  X  — >■  Y Z  forms  a  Markov  chain,  and  I(X;Y\U)  > 

I  (A";  Z\U),  then  for  every  n  there  exists  a  set  xfkl  C  Xn  where  j  G  M.  j  =  {1, . . . ,  Mj} 
and  k  G  XiK  =  {1, . . . ,  Mk}  and  l  G  XiL  =  {1, . . . ,  Ml},  with  the  following  proper¬ 
ties. 

1.  For  each  l  G  XiL,  there  exist  a  U -typical  sequence  uf  G  Un  such  that  every 

xfkl  is  X\U -generated  by  uf.  Moreover,  there  exist  pairwise  disjoint  subsets 
Bi  C  resp.  Ci  C  Jrz\uiu]1)  such  that 

PY\x{Bi\x™ki)  >  1  —  en, 

Pz\x{Ci\x^kl)  >  1  -  en. 

2.  There  exist  pairwise  disjoint  subsets  Bju  C  pY\x(,Xjki)  and  subset  Cjki  C  P z\x{xfkl) , 
of  which  those  with  the  same  index  k  are  pairwise  disjoint,  such  that 

PY\x(Bjki\x]kl)  >  1  —  en, 

Pz\x(Cjki\xjki )  >  l-en. 
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3.  Also,  as  n  — >  oo 


en  — >  0 

-log  ||.A^.7||  I{X;Z\U), 

n 

-  log  ||.vr,v||  I(X-,Y\U)-I(X-,Z\U), 

n 

-log\\ML\\  min  {I{U-Y),I{U-Z)). 

n 

We  can  see  from  Proposition  10  that  the  index  l  can  be  decoded  by  both  Yn  and 
Zn,  in  addition,  given  index  k,  Zn  could  decode  all  indices  j,  k,  l  with  arbitrary  small 
error  probabilities.  In  other  words,  only  the  part  of  message  corresponding  to  index 
k  would  be  kept  secret. 

Based  on  this  proposition,  Csiszar  and  Korner  characterized  the  rate  equivocation 
region  for  BCCC,  summarized  in  Proposition  1.  As  illustrated  in  Fig.  3.3,  to  achieve 
this  rate  equivocation  region,  the  essential  idea  is  to  arrange  the  common  message 
bits  in  index  l  and  put  the  rest  in  index  j  and  k  according  to  Proposition  10.  The 
total  protected  bits  are  then  I(X-,Y\U)  —  I (X]  Z\U). 


Figure  3.3:  Encoding  scheme  of  BCCC. 
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3.3  Main  Result  for  the  BCCP  Model 


Our  main  result  is  the  following  theorem. 

Theorem  7.  TZbcp  is  a  closed  convex  set  consisting  of  those  triples  (Ri,  Re,  Rp)  for 
which  there  exist  RV’s  U  — >  V  — >  X  — y  Y Z  such  that  the  conditional  distribution  of 


Y  (resp.  Z)  given  X  is  determined  by  channel  1  (resp.  2)  and 

0  <  Re  <  Ri,  (3.4) 

Re  <  I(V-Y\U)~I(V-,Z\U),  (3.5) 

Ri  +  RP  <  I(V]Y\U)  +  min(/(C/ ;  Y),  I{U]Z)).  (3.6) 

To  exhaust  R-bcp,  it  is  enough  to  consider  U  and  V  such  that 

\\U\\  <  Ill’ll  +  2,  (3.7) 

||V||  <  ||T||2  +  3||T|| +2.  (3.8) 


In  the  following,  we  discuss  our  main  result  and  its  various  special  cases. 

3.3.1  Comparison  with  Csiszar  and  Korner’s  model 

In  Csiszar  and  Korner’s  model,  the  non-conhdential  message  needs  to  be  reliably 
recovered  at  both  receivers,  which  was  therefore  referred  to  as  the  common  message. 
In  the  present  model,  the  non-conhdential  message  is  only  required  to  be  decoded  at 
receiver  1,  the  reason  we  term  it  public  message. 

Therefore  it  is  intuitive  that  by  relaxing  the  constraint  on  the  non-conhdential 
message,  the  achievable  rate  equivocation  region  ought  to  be  enlarged.  This  can  be 
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easily  verified  by  comparing  Theorem  7  with  Proposition  1(  [3,  Theorem  1])  where 
BCCC  imposes  the  following  additional  constraint  on  the  non-conhdential  message: 

Ro  <  min {I{U\  Y),  I(U ;  Z)}.  (3.9) 

On  the  other  hand,  if  one  set  Ro  =  0  in  Csiszar  and  Korner’s  BCCC  model,  it  is 
easy  to  see  that  the  rate  R\  is  equivalent  to  Ri  +  Rp  in  BCCP,  i.e.,  one  can  view  the 
confidential  and  public  messages  in  BCCP  as  splitting  the  confidential  message  in  the 
BCCC  model  by  setting  R0  =  0.  Fig.  3.4  shows  the  typical  rate  region  of  (i?i  +  Rp 
v.s.  Re)  from  the  main  result  which  coincides  with  Fig.  1  in  [3]. 

Re 


Figure  3.4:  The  typical  rate  region  of  (i?i  +  Rp  vs  Re)  for  BCCP. 

The  real  advantage  of  the  BCCP  model  is  the  enhanced  security  of  the  confidential 
message.  Before  we  present  the  generate  results,  let  us  first  examine  an  extreme 
case  to  appreciate  the  advantage  of  relaxing  the  decoding  requirement  for  receiver 
2.  Assume  we  have  a  less  noisy  channel  [42]  in  the  sense  of  I(U',Z)  <  I(U;Y )  for 
any  U  — >  X  — >  Y Z .  Consider  now  we  have  a  non-conhdential  rate  that  equals 
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ma xI(X]Z).  It  is  clear  that  imposing  receiver  2  to  decode  the  non-confidential 
message  (i.e.,  the  BCCC  model)  will  result  in  R\  =  Re  =  0,  which  can  be  verified 
easily  given  U  =  V  =  X.  On  the  other  hand,  the  BCCP  model  still  can  achieve 
Ri  —  Re  —  I(X]Y)  —  I(X]Z)  which  is  obtained  by  letting  U  =  <f>  and  V  =  X  in 
Theorem  7. 

Denote  by  Cc(R)  and  CP(R)  the  secrecy  capacities  for  BCCC  and  BCCP  at  non- 
confidential  message  rate  R  (i.e.,  R0  =  R  for  BCCC  and  Rq  =  R  for  BCCP).  Equiv¬ 
alently,  Cc(R)  is  the  maximum  of  R.{  such  that  (R\,  R±,  R)  is  achievable  for  BCCC 
while  CP(R )  is  the  maximum  of  R\  such  that  {R  \ .  R  \ ,  R)  is  achievable  for  BCCP.  We 
have 

Proposition  11.  Cc(R)  <  CP(R) 

The  proposition  follows  trivially  from  the  fact  that  the  BCCC  region  is  a  subset 
of  BCCP  region  and  the  definition  of  Cc(R )  and  CP(R). 

Proposition  11  shows  that  it  is  possible  that  a  larger  secrecy  capacity  can  be 
achieved  given  identical  non-confidential  message  rate  Rp  =  Rq  —  R.  The  discussion 
about  the  extreme  case  above  also  indicates  the  improvement  can  be  strict,  i.e.,  the 
inequality  in  Proposition  11  can  be  strict.  In  the  following,  we  generalize  the  above 
result  to  a  special  class  of  broadcast  channels,  namely  less  noisy  symmetric  channels. 
For  this  class  of  broadcast  channels  [11],  uniform  input  simultaneously  maximizes 
I(X;Y),  I{X]  Z),  as  well  as  I(X ;  Y)  —  I  (A";  Z).  Specifically,  we  have 

Proposition  12.  For  a  less  noisy  and  symmetric  broadcast  channel,  BCCP  has  a 
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strictly  larger  rate  equivocation  region  than  BCCC  provided  that  the  non- confidential 
message  rate  is  positive. 

Proof.  From  Theorem  7,  the  rate  region  for  BCCP  for  the  less  noisy  broadcast  channel 
can  be  written  as, 


o  < 

R-e  A  R-l, 

(3.10) 

Re  < 

/(X;Y)-/(X;Z), 

(3.11) 

R\  +  Rp  Y 

I(X-Y). 

(3.12) 

The  proof  is  quite  similar  to  the  proof  of  [3,  Theorem  3]. 

On  the  other  hand,  the  rate  region  for  BCCC  reduces  to 


0 

< 

Q7 

VI 

07 

(3.13) 

Re 

< 

J(X;Y|f/)-/(X;Y|f/), 

(3.14) 

Rq 

< 

m  z ), 

(3.15) 

Rl  +  Rq 

< 

I(X;Y\U)+I(U;  Z). 

(3.16) 

We  separate  the  three  different  cases,  as  illustrated  in  Fig.  3.5. 

1.  Rp  =  i?o  =  0.  As  we  shall  see  in  the  next  section,  the  rate  regions  for  BCCC 
and  BCCP  coincide  with  each  other.  In  addition,  the  rate  region  has  a  right 
angle  at  upper  right  corner  instead  of  a  curve  as  in  Fig.  3.4.  This  is  due  to  the 
fact  that  for  symmetric  channel  /(X ;  Y),  /(X;  Z),  and  /(A";  Y )  —  /(X;  Z)  can 
achieve  their  respective  maxima  simultaneously. 
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(2)  Rp  —  R0  =  max(/(A;  Z)) 


Figure  3.5:  BCCC  and  BCCP’s  rate  regions  of  less  noisy  and  symmetric  broadcast 
channel  in  three  cases,  where  A$  =  max(/(A;Y)  —  I(X;Z)),  A\  =  max(/(A;Y)), 
A2  =  ma x(I(X;Y))  —  R,  A3  =  max(/(A;  Y\U)  +  I(U;  Z))  —  R.  In  (2),  the  rate  region 
for  BCCC  degenerates  into  a  single  point  (0,0). 
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2.  Rp  —  R0  —  rnax/(X;  Z).  BCCC  reduces  to 


Re  —  R\  —  0. 

When  the  non-confidential  message  rate  reaches  the  capacity  of  the  more  noisy 
channel  (receiver  2),  the  confidential  message  is  forced  to  be  zero  even  though 
there  is  positive  excess  capacity  for  receiver  1.  This  is  due  to  the  requirement  in 
BCCC  that  receiver  2  needs  to  decode  the  non-confidential  message.  Transmit¬ 
ting  confidential  message  will  force  the  non-confidential  message  rate  to  back 
off  from  its  maximum.  For  BCCP,  however,  one  can  still  achieve 

Re  =  Ri  =  I{X-Y)-I{X-Z) 

For  this  case,  the  inequality  in  Proposition  11  is  strict  since  C'c(max  I (X ;  Z))  =  0 
while  Cp(maxI(X;  Z))  =  I(X;  Y)  -  I(X ;  Z). 

In  addition,  it  should  be  pointed  out  that  the  public  message  rate  Rp  in  BCCP 
can  exceed  the  wiretap  channel’s  capacity,  i.e.  Rp  >  max  I  (X:  Z).  This  is  an¬ 
other  consequence  of  relaxing  the  decoding  requirement  to  unintended  receiver 
in  the  BCCP  model. 

3.  0  <  Rp  =  Rq  <  max/(X;  Z).  We  observe  from  Eq.  (3.11)  and  Eq.  (3.14)  that 
there  is  always  a  gap  I  {U  \Y)  —  I  (U ;  Z)  for  the  Re  constraint  for  the  two  models 
since 


I{X-Y)~I{X-Z)  =  I(X]Y\U)  —  I(X]  Z\U) 
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+/([/;  Y)  -/(C/;  Z). 


Given  the  less  noisy  assumption  the  BCCP’s  rate  region  is  strictly  larger  than 
that  of  BCCC.  In  addition,  notice  that  the  BCCC  rate  region  has  a  curve 
at  its  upper  right  corner  instead  of  a  right  angle  as  BCCP  because  in  this  case 
I(X ;  Y\U)—I(X;  Z\U )  and  I(X ;  Y\U)+I(U ;  Z)  might  not  achieve  their  maxima 
simultaneously. 

From  the  above  three  cases,  we  know  that  the  BCCP  achieves  strictly  larger  rate 
region  for  a  given  positive  non-conhdentiaf  message  rate.  □ 

3.3.2  No  public  message 

Now  we  turn  to  the  special  case  of  no  public  message  ( Rp  =  0).  We  denote  by  lZie 
the  set  of  achievable  rate  pairs  (Ri,Re)  with  no  public  message,  i.e.,  (Ri,Re)  G  7Zle 
iff  ( Ri,Re,0 )  G  7 Zbcp- 

Theorem  8.  (R\,  Re)  G  Ti\e  iff  there  exist  U  — >  V  — >  X  — >  Y Z  such  that  I{U ;  Y)  < 
I(U ;  Z)  and 

0  <  Re  <  I{V\Y\U)  -I(V-Z\uy,  (3.17) 

Re  <  Ri<I(V;Y).  (3.18) 

Proof.  Taking  Rp  —  0  in  Theorem  7  we  obtain  that  (Ri,Re)  G  77le  iff  there  exist 
U  — >  V  — >  X  — *  YZ  such  that 

Re  <  I(V-Y\U)-I(V-Z\U),  (3.19) 
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Re  <  Ri<I(V;Y). 


(3.20) 


If  I{U]  Y )  <  /([/;  Z),  then  Eq.  (3.17)  and  Eq.  (3.18)  hold. 

If  I{U\Y)  >  I{U ;  Z),  we  get 

Re  <  I(V]Y\U)-I(V]Z\U) 

<  W  Y\u)  -  I(V]  Z\U)  +  I(U ;  y)  -  /([/;  Z) 

=  /(y;y)-/(y;z),  (3.21) 

<  Rl<I{V]Y).  (3.22) 

In  the  latter  case  Eq.  (3.17)-(3.18)  are  satisfied  for  U  =  const.  □ 

Compare  Theorem  8  with  [3,  Corollary  2],  we  see  that  the  region  is  identical  to 
that  of  BCCC  without  common  message.  This  is  not  surprising;  in  the  absence  of 
non-confidential  message,  BCCP  and  BCCC  converge  to  the  same  model  with  only  a 
single  confidential  message. 

3.3.3  Binary  symmetric  broadcast  channel 

The  binary  symmetric  broadcast  channel  (BSBC)  is  a  simple  example  of  a  degraded 
(hence  less  noisy)  broadcast  channel  that  is  also  symmetric. 

Given  a  BSBC  with  crossover  probabilities  p\  and  P2,  0  <  pi  <  P2  <  1/2,  we  can 
view  A",  Y,  Z  as  the  inputs  and  outputs  of  the  cascaded  binary  symmetric  channels 
with  X  — *  Y  — >  Z.  For  less  noisy  channel,  we  have 

0  5;  Re  A  R  \ , 
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Re  <  I(X-Y)-I(X-Z), 


Ri  +  Rp  <  I(X;Y). 

/(X;Y)  achieves  its  maximum  1  —  h(pi)  at  P(X  =  1)  =  P(X  =  0)  =  1/2,  where 
h(-)  is  defined  as  h( A)  =  —A  log  A  —  (1  —  A)  log(l  —  A). 

For  any  arbitrary  P(X), 

I(X;Y)^I(X;Z)  =  H(Y)  -  H(Y\X ) 

<-[H(Z)-H(Z\X)] 

=  h(p2)-h(Pl)  +  H(Y)-H(Z) 

<  h(p2)-h(p  i). 

The  last  inequality  follows  from  the  well-known  fact  (see  [43])  that  the  entropy  of  the 
output  of  a  binary  symmetric  channel,  i.e.  H(Z),  is  no  smaller  than  the  entropy  of 
the  input,  H(Y'). 

Now  that  I(X ;  Y)  and  /(X;  1'')— /(X;  Z)  are  simultaneously  maximized  at  P( X  = 
1)  =  P( X  =  0)  =  1/2,  we  conclude  that,  for  BSBC,  IZbcp  is  given  as 

0  ft  Re  ft  R^ , 

Re  <  h(p2 )  -  h(pi), 

Ri  +  Rp  <  l-h(pi). 

From  this  example,  it  is  clear  that  Rp  can  be  as  large  as  1  —  h(pi)  whereas  for  the 
BCCC  model,  the  non-confidential  message  rate  i?0  <  1  —  h{p2).  Furthermore,  if  the 
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non-confidential  message  rate  is  set  at  1  —  h(p2),  it  can  be  easily  verified  that  for  the 
BCCC  model,  R\  —  Re  —  0  whereas  for  the  BCCP  model  R\  =  Re  =  h(p2)  —  h(jp\) 
can  be  achieved. 

3.3.4  Gaussian  channel 

Our  main  result  can  also  be  extended  to  the  Gaussian  case  as  follows. 

Theorem  9.  For  the  Gaussian  BCCP,  IZbcp  is  a  set  consisting  of  those  triples 
(Ri,  Re,  Rp)  satisfying 

0  <  Re  <  Ri,  (3.23) 

*• s  cG0*cK)’  <3  24> 

Ri  +  Rp  <  (3-25) 

where  the  noises  of  channel  1  and  2  are  both  independently  and  identically  distributed 

(i.i.d.)  Gaussian  sequences  with  variances  N\  and  N2  respectively,  with  N\  <  N2. 
The  power  constraint  of  the  channel  input  is  E(A"2)  <  P .  G(-)  is  defined  as  C  ( x )  = 
|log(l  +x). 

3.3.5  The  source-channel  matching  problem 

Our  main  results  in  the  above  sections  pertain  to  a  channel  coding  problem.  The 
problem  of  source  channel  matching  can  be  treated  in  a  similar  fashion  as  that  of  [3] . 
Consider  two  memoryless  sources  with  alphabets  S  and  T,  i.e. ,  let  SiTi,S2T2 ,  ■  ■  ■ 
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be  i.i.d.  pairs  of  RV’s  (but  St  and  Tt  need  not  be  independent).  Assume  that  block- 
to-block  encoding  is  used:  a  (k,  n)-encoder  is  a  (stochastic)  encoder  in  the  sense  of 
Definition  1  with  block  length  n  and  message  sets  ( Sk,Tk ). 

Definition  4.  The  source  pair  S,T  is  (R,  A) -transmissible  over  the  BCCP,  where 
R  >  0,  A  >  0,  iff  for  every  e  >  0  there  exist  a  ( k,n) -encoder  f  and  decoders  ip,  if 
such  that 

k-  >  R-e, 
n 

yH(Sk\Zn )  >  A-e, 
k 

E  ^dH(SkTk,ip(Yn))  <  e. 

We  shall  refer  to  R  as  the  rate  of  source-channel  matching. 

Theorem  10.  In  order  that  the  source  pair  S,T  be  (R,  A) -transmissible  over  the 
BCCP,  it  is  necessary  and  sufficient  that 

(RH(S),  RA,  RH(T\S))  =  {Ri,ReiRP)  e  HBCP ■ 

Proof.  It  is  similar  to  the  proof  in  [3,  Theorem  3]  by  replacing  (RH (S\T) ,  RA,  RH(T )) 
with  (RH(S),RA,RH(T\S).  □ 

3.3.6  The  model  with  three  classes  of  messages 

We  can  also  generalize  the  result  to  transmitting  three  messages:  confidential  message 
with  rate  R\,  common  message  with  rate  Rq  and  public  message  with  rate  Rp,  which 
is  defined  as  follows. 
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Definition  5.  (Ri,  Re,  Ro,  Rp)  is  an  achievable  rate  quadruple  for  broadcast  channels 
with  confidential,  common,  and  public  messages  iff  for  every  e  >  0  and  sufficiently 
large  n  there  exists  a  sequence  of  message  sets  Sn  ,Tf  ,Tf  and  encoder- decoder  (/,  ip,  fi>) 
giving  rise  to  (n,  e) -transmission,  such  that 


lim  —  log  \\Sn\\ 

ii— >■  oo  n 

—  Ri, 

lim  -log|  7^n| 

n— Kx)  ft 

=  Ro, 

lim  -  log  \\Tf\\ 

n^oo  Tl 

- H(Sn\Zn ) 

an 

>  Re  -  e. 

n 


The  definition  of  (n,  en )  transmission  in  Definition  5  is  now  amended  by  requiring 
that  both  receivers  correctly  recover  the  common  message  T"  with  probability  > 

1  ^n- 

The  following  theorem  describes  the  rate  equivocation  region  for  the  generalized 
model,  whose  proof  is  omitted  as  it  can  be  directly  constructed  by  combining  the 
proofs  for  BCCC  and  BCCP  models. 

Theorem  11.  The  rate  equivocation  region  IZ^msg  is  a  closed  convex  set  consisting  of 
those  quadruples  (Ri,  Re,  R0 ,  Rp )  for  which  there  exist  RV’s  U  — >  V  — >  X  — >  Y Z  such 
that  the  conditional  distribution  ofY  (resp.  Z)  given  X  is  determined  by  channel  1 
(resp.  2)  and 

0  ft  Re  ft  R\ , 

Re  <  I(V-Y\U)~I(V-Z\U), 
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Ri  +  Ro  +  Rp  <  I(V',Y\U)  +  min(/(f/ ;  Y),  I(U;  Z)), 


0  <  R0<mm(I(U;Y),I(U]Z)). 

Apparently  this  theorem  constitutes  a  generalization  of  the  results  of  both  BCCP 
and  BCCC. 

3.4  Proof  of  Theorem  7 

The  direct  part  proof  of  Theorem  7  utilizes  Lemma  2  in  [3]  (as  repeated  in  Propo¬ 
sition  10),  and  the  essential  idea  is  to  split  the  messages  bits  into  three  indices 
Mj,  Mk,  Ml  as  shown  in  Fig.  3.6,  where 

-log  ||  Ml\\  =  min(/(t/ ;  Y),  I(U ;  Z))  —  e; 
n 

—  log  II^A'II  =  I(X;Y\U)-I(X-,Z\U)-e, 

-logUMjH  =  I(X-Z\U)-e. 

n 

As  discussed  before,  MK  will  be  kept  completely  secret  and  thus  part  of  confidential 
message  bits  are  put  into  Mk  to  achieve  equivocation  rate,  and  the  rest  confidential 
message  and  also  total  public  message  bits  are  put  into  Mj  and  Ml  in  order  to  be 
transmitted  to  the  legitimate  receiver  correctly.  We  skip  the  details  here  except  to 
point  out  that  our  proof,  as  in  [3],  also  relies  on  the  convexity  argument:  we  first 
establish  the  achievability  of  a  subset  of  Rbcp  and  then  generalize  it  to  the  entire 


Rbcp  through  a  simple  convexity  argument. 


Figure  3.6:  Encoding  scheme  of  direct  part  proof. 

The  converse  proof  is  similar  to  that  in  Section  2.6.1.  Let  us  assume  the  existence 
of  encoder- decoders  giving  rise  to  (n,  e„) -transmission  over  the  BCCP.  By 

Fano’s  Lemma  we  have 

—H(ST\Yn)  <  Vn. 
n 

where  rjn  — >  0  if  en  — >  0.  We  shall  show  the  existence  of  random  variables  U  — >  V  — >• 
X  Y Z  such  that 

Re  <  I(V;Y\U)  —  I (V;  Z\U)  +  rjn, 

Ri+RP  <  I(V;  Y\U)  +  min (/([/;  Y),  I(U ;  Z))  +  r ln. 

Note  that  Eq.  (3.4)  is  readily  established  from  the  fact  that  H(S\Zn)  <  H(S )  and 
the  definition  in  Eq.  (3.1)  and  (3.3). 

First, 

n{R1  +  Rp)  =  H(ST) 

<  I  (ST ;  Yn)  +  nrjn  (3.26) 

For  Re,  we  have 


nRe  <  H(S\Zn) 
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<  H(ST\Z'1 ) 


<  /(ST;  Yn)  -  /(ST;  Zn)  +  nrjn.  (3.27) 

Defining  T*  =  (T,  ■  ■  ■  ,Yj),  Z-1  =  (Zi}  ■  ■  ■  ,  Zn),  similar  as  the  converse  proof  in  [3],  we 
have 

n 

I(ST-Yn)  =  ^/(ST;T:|Ti-1T+1)  +  S1-S2, 

2=1 

n 

I(ST]Zn)  =  ^IiST-ZilY^Z^  +  Yl-Yl, 

2=1 

where 

n 

Si  =  J]/(zi+1;yi|yi-1), 

2=1 

n 

E*  =  J]/(yi-1;Zi|Zi+1), 

2=1 

n 

e2  =  ^/(zi+1;yi|yi-1TS'), 

2=1 

n 

e;  =  ^/(y^-^Ziiz^TS). 

2=1 

By  [3,  Lemma  7],  we  know 


Ei  =  E*, 
S2  =  E*. 


Furthermore, 

n  n 

Ei  =  ^/(yi+1;T|yi-1)<^/(y*+1y*-1;yJ), 

2=1  2=1 

n  n 

E*  =  ^|Zm)  <  ^  /(T+1y*_1;  Zi). 

2=1  2=1 
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Let  us  introduce  an  RV  J,  which  is  independent  of  (S,T,Xn,Yn,  Zn)  and  uni¬ 
formly  distributed  over  {1,  •  •  •  ,  n}.  Set 

U  =  YJ~1ZJ+1J,  V  =  UST,  X  =  Xj, 

Y  4  Yj,  Z  4  Zj. 

Then  we  have 

-  (/(5T;  Un)  -  I(ST-  Zn ))  =  I(V]  Y\U )  -  J(F;  Z|U);  (3.28) 

n 

-Ei  =  -E?  <  min (/([/;  T),  /([/;  Z)).  (3.29) 

n  n 

Substituting  Eq.  (3.28)-(3.29)  into  Eq.  (3.26)-(3.27),  we  have 

Re  <  I(V-Y\U)^I(V-Z\U)  +  rjn , 

RiYRP  <  I(V-Y\U)  +  mm(I(U-Y),I(U-Z))  +  rin. 

Using  the  memoryless  property  of  the  channel,  it  is  straightforward  to  verify  that 
U  — >  V  — >  X  — >  Y Z  and  that  the  conditional  distribution  of  Y  and  Z  given  X 
coincide  with  the  corresponding  channel  matrices.  The  converse  proof  is  complete. 

The  support  lemma  [44,  Page  310]  is  invoked  to  prove  that  the  region  IZbcp  is  n°t 
altered  if  the  alphabet  sizes  of  U,V  are  bounded  as  in  Eqs.  (3.7)  and  (3.8)  (similar 
to  [3,  Appendix]). 
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3.5  Secret  Key  Enhanced  BCCP  Model 


In  this  section,  we  extend  the  BCCP  model  to  systems  where  a  secret  key,  K,  with  a 
key  rate  Rk,  is  available  to  the  intended  transceiver  pair.  The  key  enhanced  BCCP 
model  is  illustrated  in  Fig.  3.7. 


S 


T 


K 


Figure  3.7:  Key  enhanced  BCCP  model. 

Closely  related  to  the  present  model  is  the  so-called  rate-distortion  theory  for  the 
Shannon  cipher  system  studied  by  Yamamoto  [45].  In  [45],  in  addition  to  having  a 
secret  key  known  to  the  transmitter  and  the  intended  receiver,  the  main  channel  is 
assumed  to  be  less  noisy  than  the  wire-tap  channel,  and  a  single  confidential  source 
is  to  be  communicated  to  the  main  receiver.  The  encoding  scheme  essentially  con¬ 
catenates  three  codes:  one  to  attain  the  ordinary  rate  distortion  function,  a  random 
code  for  the  wire-tap  channel,  and  the  Shannon  cipher’s  modulo  addition  encoding. 
It  was  shown  in  [45]  that  the  security  contributions  from  that  of  the  random  wire-tap 
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encoding  and  the  secret  key  are  additive. 

In  this  section,  we  consider  the  general  discrete  memoryless  broadcast  channel 
instead  of  the  less  noisy  channel.  In  addition,  a  non-conhdential  message  is  also  to  be 
transmitted  along  with  the  confidential  message.  On  the  other  hand,  we  only  consider 
the  channel  coding  problem;  therefore  arbitrarily  small  error  probability  is  imposed 
for  recovering  the  messages  at  the  receiver  instead  of  a  general  distortion  constraint. 
Our  result  indicates  that  for  this  channel  coding  problem  for  the  general  model, 
the  effects  of  random  encoding  and  secret  key  are  still  additive,  as  reflected  in  the 
expression  for  the  equivocation  rate.  The  additive  contribution  to  the  equivocation 
rate  suggests  that  secret  key  can  be  used  to  enhance  the  secrecy  capacity  attained 
via  the  wire-tap  encoding.  Furthermore,  in  the  worst  event  that  the  receiver  2  sees  a 
less  noisy  channel  than  receiver  1,  positive  secrecy  rate  is  still  possible  if  the  key  rate 
is  sufficiently  large. 

The  rate  equivocation  region  of  secret  key  enhanced  BCCP  is  described  in  the 
following  theorem. 

Theorem  12.  Assume  Rk  is  the  secret  key  rate.  The  rate  equivocation  region  IZsp  is 
a  closed  convex  set  consisting  of  rate  triples  (Ri,  Rp ,  R.e)  for  which  there  exist  random 
variables  U  — >  V  — >  X  — >  Y Z  such  that  the  conditional  distribution  ofY  (respectively 
Z)  given  X  is  determined  by  channel  1  ( respectively  2)  and 

0  <  Re  <  Ru  (3.30) 

Re  <  [I(V-Y\U)-I(V-Z\U)]+  +  Rk,  (3.31) 
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Ri  +  RP  <  I(V;Y\U)  +  mm(I(U-,Y),I(U-,Z)), 


(3.32) 


where  [•]+  is  defined  as  [x]+  =  max{i,  0}. 

The  direct  part  of  Theorem  12  can  be  proved,  as  with  [45],  by  concatenation  of 
two  codes:  Csiszar  and  Korner’s  random  channel  code  [3]  and  Shannon’s  modulo 
addition  code  [1],  [46].  The  converse  proof  follows  along  the  similar  line  as  that  for 
the  BCCP  model  in  Section  3.4  (or  see  [47,48]).  We  will  omit  the  detailed  proof  as 
the  model  is  in  fact  a  special  case  of  what  to  be  studied  in  the  next  chapter. 

From  Theorem  12,  one  can  see  that  the  secret  key  does  not  affect  the  rate  con¬ 
straints  for  Rc  and  Rp.  This  is  due  to  the  reasonable  assumption  that  the  key  K  is 
independent  of  the  channel  and  the  information  sources.  The  enhancement  of  secrecy 
due  to  the  presence  of  key  is  in  an  additive  manner,  as  measured  by  the  equivocation 
rate,  i.e.,  Eq.  (3.31).  Consider,  for  example,  an  extreme  case  in  which  channel  2  is 
less  noisy  than  channel  1.  For  such  a  case,  Re  —  0  for  the  classical  BCCP;  however, 
for  BCCP  with  a  secret  key,  a  positive  Re  can  still  be  attained  if  the  key  rate  R %  >  0. 

This  result  also  coincides  with  various  existing  results,  which  is  discussed  in  the 
following  subsections. 

3.5.1  Shannon  cipher  system 

In  [1]  Shannon  assumed  that  both  the  intended  receiver  and  an  eavesdropper  have  an 
uncorrupted  copy  of  the  encrypted  message.  By  setting  Y  —  Z  =  X,  the  channels  be¬ 
come  noiseless  and  our  model  reduces  to  Shannon’s  cipher  system.  From  Theorem  12, 
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we  have 


0  ^  Re  ^  R,\ , 


(3.33) 


Re  —  Rk  i 


(3.34) 


i?i  +  i?p  <  I{V]X\U)  +  I{U]X)  =  I{V]X). 


(3.35) 


If  perfect  secrecy  is  required,  i.e.  Ri  =  Re ,  then  we  have  R\  =  Re  <  Rk  and 
correspondingly  H(S)  <  H(K).  Notice  that  the  condition  H(S)  <  H(K )  is  precisely 
the  same  as  that  obtained  in  [1]  for  Shannon  cipher  system. 


3.5.2  Yamamoto’s  model 


Our  model  considers  a  channel  coding  problem,  while  Yamamoto’s  model  [45]  consid¬ 
ered  a  source-channel  coding  problem,  that  is,  [45]  is  concerned  with  the  transmissi- 
bility  of  a  source  sequence  instead  of  a  message  set.  To  be  concrete,  we  introduce  the 
following  definition  from  [45]. 


Definition  6.  [45,  Definition  1]:  ( R,R'k,D,h )  is  achievable  if  for  any  e  >  0  and 
sufficiently  large  K  and  N,  there  exists  a  code  (/,  0)  satisfying 


<  R  +  e, 


E  d(K\SK,SK)  <  D  +  e, 
flogMk  <  K  +  e, 


—H(Sk\Zn)  >  h-e. 
K 
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We  note  again  that  [45]  deals  with  a  single  message  source  (i.e.,  no  public  message 
is  considered)  hence  only  a  single  rate  R  is  needed.  Since  for  the  BCCP  model,  receiver 
1  is  to  recover  message  arbitrarily  reliably,  this  is  equivalent  to  having  D  —  0,  hence 
R(D)  =  H(S).  Similar  to  the  source-channel  matching  part  [3,  Theorem  2],  we  have 

Proposition  13.  The  source  rate  quadruple  ( R ,  R'k,  0,  h )  is  admissible  iff 

§)  =  (ft,  ft,  ft)  6  Hsu,  (3.36) 

where  IZsie  is  the  achievable  rate  region  for  key-assisted  BCCP  with  no  public  mes¬ 
sage,  i.e.,  (Ri,Re)  e  TZsie  iff  (-Ri,-Re,0)  e  7 ZSP. 

Moreover,  it  is  also  assumed  in  [45]  that  channel  1  is  less  noisy  than  channel  2. 
Specializing  Theorem  12  to  this  model,  we  have 

Proposition  14.  If  channel  1  is  less  noisy  than  channel  2  then  (Ri,Re)  G  IZsie  iff 
there  exist  X ,  Y,  Z  such  that 

0  <  Re  <  I{X ;  Y)  -  I(X ■  Z )  +  Rk,  (3.37) 

Re  <  Ri<I(X-Y).  (3.38) 

Proof.  It  is  also  quite  similar  to  the  proof  of  [3,  Theorem  3].  □ 

From  Proposition  13  and  Proposition  14,  it  is  straightforward  to  show  that  Propo¬ 
sition  14  coincides  with  Yamamoto’s  result  [45,  Theorem  1]  with  D  =  0  which  we 
repeat  below. 
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Proposition  15.  ( R ,  R'k,  D  —  0,  h)  is  admissible  iff  there  exist  r.v’s  X ,Y ,  and  Z  that 
satisfy 


I(X]Y)R  >  H(S), 


(3.39) 


K  >  [h;-{I(X;Y)-I(X-,Z)}R}+.  (3.40) 


3.6  Summary 

We  revisited  the  problem  of  broadcasting  both  a  confidential  and  a  non-conhdential 
message  for  discrete  memoryless  broadcast  channels.  The  present  model  differs  from 
the  classical  model  of  Csiszar  and  Korner  in  that  the  non-conhdential  message  need 
not  be  reliably  recovered  at  receiver  2.  A  single  letter  characterization  of  the  rate 
equivocation  region  was  provided.  By  relaxing  the  constraint  on  the  non-conhdential 
message,  the  new  approach  improves  the  equivocation  rate  for  the  conhdential  mes¬ 
sage  compared  with  the  classical  model.  Furthermore,  this  BCCP  framework  was  also 
extended  to  systems  where  a  secret  key  is  available  to  the  intended  transceiver  pair. 
The  results  reveal  that  the  secret  key  and  the  random  coding  technique  for  broad¬ 
cast  channels  with  conhdential  messages  contribute  to  the  secrecy  of  the  conhdential 
message  in  an  additive  manner. 

More  interestingly,  this  more  liberal  treatment  of  the  non-conhdential  message 
might  be  a  more  reasonable  model  and  can  be  applied  to  various  secure  communica¬ 
tion  models  which  are  otherwise  not  attainable  using  the  classical  BCCC  model. 
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Finally,  we  would  like  to  point  out  that  upon  concluding  this  work,  the  author 
discovered  that  a  special  case  of  this  BCCP  model  was  discussed  in  [44,  Problem 
4.33(c),  Chapter  3,  Section  4],  There,  perfect  secrecy  of  the  confidential  message  is 
required  and  the  result  is  consistent  with  our  result  when  specializing  Theorem  7  to 
the  case  of  Ri  =  Re. 
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Chapter  4 


Secure  Coding  Over  Networks 


In  this  chapter  we  study  the  problem  of  secure  communication  over  networks  in  which 
each  link  may  be  noisy  or  noiseless.  Specially,  a  single-source  single-sink  acyclic  planar 
network  is  assumed,  and  the  communication  between  the  source  and  the  sink  is  subject 
to  non-cooperating  eavesdropping  on  each  link.  A  constructive  proof,  which  combines 
Shannon’s  key  encryption,  Wyner’s  random  coding,  and  the  Ford- Fulkerson  algo¬ 
rithm,  is  presented  which  constitutes  a  readily  implementable  secure  coding  scheme 
for  provably  secure  communications.  This  explicit  encoding  and  routing  scheme  leads 
to  an  achievable  rate  equivocation  region  for  the  secure  coding  over  network  model, 
which  is  shown  to  be  tight  when  specializing  to  a  network  of  non-overlapping  parallel 
links. 
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4.1  Introduction 


The  BCCP  framework,  proposed  in  Chapter  3,  enlarges  the  rate  equivocation  of  the 
classical  BCCC  model  of  Csiszar  and  Korner.  Perhaps  more  significantly,  the  more 
liberal  treatment  of  the  non-confidential  message  makes  it  more  readily  applicable 
to  complex  communication  networks.  One  simple  example  is  illustrated  in  Fig.  4.1, 
where  communication  is  conducted  over  two  independent  sub-channels,  and  each  sub¬ 
channel  is  subject  to  a  non-cooperating  eavesdropper:  Eve  1  or  Eve  2,  which  do  not 
communicate  with  each  other.  To  understand  how  it  works,  we  note  that  in  the  Shan¬ 
non  cipher  system,  the  secret  key  needs  to  be  kept  secret  from  the  eavesdropper  as  it 
also  has  access  to  the  encrypted  message.  However,  given  the  independence  between 
the  key  and  the  confidential  message,  if  an  eavesdropper  only  has  access  to  the  secret 
key  but  without  any  knowledge  of  the  encrypted  message,  complete  secrecy  is  still 
attained.  Thus  the  simple  achievable  scheme  for  the  motivating  example  is  to  com¬ 
municate  a  secret  key  K  on  link  1  while  transmit  the  key-encrypted  message  S®K  on 
link  2,  as  depicted  in  Fig.  4.1.  Protection  against  eavesdropping  on  link  2  is  attributed 
to  the  provable  security  of  one-time  pad.  On  the  other  hand,  the  eavesdropper  on  link 
1  has  only  access  to  the  key  but  not  the  encrypted  message  hence  is  also  completely 
ignorant  of  the  message.  We  comment  here  that  similar  observation  was  made  to 
motivate  the  so-called  secure  network  coding  in  [13]  where  communication  between  a 
single  source  and  multiple  sinks  is  conducted  over  a  noiseless  network. 

This  intuitively  simple  idea  can  be  applied  to  a  more  general  setting  which  we 
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Eve  1 


Alice 


Figure  4.1:  A  motivating  example  of  secure  communication  over  multiple  links. 

consider  in  this  chapter,  namely  secure  communication  over  noisy /noiseless  networks 
where  each  link  can  be  modeled  as  a  wiretap  channel.  This  is  illustrated  in  Fig.  4.2 
where  the  eavesdroppers  do  not  cooperate,  i.e.,  the  eavesdroppers  do  not  communicate 
with  each  other.  A  practically  more  meaningful  yet  equivalent  interpretation  is  that 
communication  is  subject  to  link  eavesdropping  yet  the  location  of  the  eavesdropper 
is  unknown.  Thus  to  measure  the  security  of  this  system,  the  equivocation  rates  over 
every  link  need  to  be  considered  simultaneously.  For  this  model  with  the  assumption 
of  acyclic  single-source  single-sink  planar  graph,  we  obtain  an  achievable  rate  equiv¬ 
ocation  region,  which  is  shown  to  be  tight  when  specializing  to  several  special  cases. 
A  more  important  contribution  is  the  explicit  coding  and  bit  routing  scheme  that 
combines  the  classical  Ford-Fulkerson  algorithm  [49]  for  Max-flow  Min-cut  network 
flow,  the  one-time  pad  scheme,  and  the  random  coding  to  achieve  the  desired  rate 
equivocation  rate-tuple. 

Closely  related  to  the  present  model  is  the  so-called  secure  network  coding  prob¬ 
lem,  first  introduced  in  [13]  and  further  developed  in  [50,51].  The  model  used  in  [13] 
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Figure  4.2:  An  example  of  network  with  non-cooperating  eavesdropping 

is  a  multi-graph  network,  where  the  noiseless  network  with  unit  capacity  edges  is  used 
to  multicast  information  to  multiple  sinks.  An  adversary  is  assumed  to  have  access 
to  an  intact  copy  of  information  communicated  over  a  subset  of  edges.  The  collection 
of  those  subsets  are  known  to  the  designer.  For  this  multicast  model,  the  existence 
of  such  a  secure  linear  network  code  is  proved  in  [13].  With  an  additional  constraint 
on  the  edge  subsets,  more  efficient  algorithms  to  construct  the  secure  network  code 
were  proposed  in  [50,51].  However,  the  network  coding  scheme  proposed  in  [50,51] 
do  not  directly  apply  to  the  unicast  model  with  eavesdropping  on  individual  link  due 
to  the  added  constraint  on  the  edge  subsets.  In  addition,  the  secure  coding  scheme 
proposed  in  the  present  work  is  much  more  efficient  to  implement  and  intuitive  to 
understand. 

This  work  is  also  a  generalized  model  of  Yamamoto’s  work  on  secret  sharing  system 
[10,46,52],  where  two  parallel  broadcast  channels  with  degradedness  assumption  were 
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studied.  There  were  also  some  recent  about  parallel/compound  wiretap  channels 
[16,53,54],  The  model  used  there  however  is  drastically  different:  it  was  assumed 
in  [16,53,54]  that  a  single  adversary  can  simultaneously  eavesdrop  all  parallel  links 
whereas  we  assume  non-cooperating  eavesdropping  in  which  each  link  is  subject  to 
individual  eavesdropping. 

The  rest  of  the  chapter  is  organized  as  follows.  Section  4.2  gives  the  problem 
formulation  and  reviews  related  results.  The  main  theorem  for  noiseless  case  is  given 
in  Section  4.3,  along  with  discussions  about  its  major  implications.  Section  4.4  gives 
the  proof  where  an  explicit  code  construction  and  a  network  routing  scheme  are 
provided.  It  is  then  generalized  to  noisy  case  in  Section  4.5.  Section  4.6  discusses  an 
interesting  special  case,  parallel  links.  We  conclude  in  Section  4.7. 

4.2  Problem  Formulation  and  Related  Work 

Fig.  4.2  illustrates  the  model  studied  in  this  chapter.  We  give  detailed  description 
below. 

•  The  pair  Q  =  (V,  £)  is  called  a  directed  graph,  where  V  and  £  are  the  node  set 
and  the  edge  set  of  Q,  respectively.  Denote  by  Out(v)  and  Ln(v)  the  edge  sets 
flowing  into  and  out  of  the  node  v,  respectively. 

•  The  node  set  V  contains  a  source  node  u  and  a  sink  node  d.  The  messages  S 
and  T  are  encoded  at  node  u  and  then  transmitted  through  the  network  to  d. 
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Both  S  and  T  are  required  to  be  reliably  decoded  at  node  d,  and  S  needs  to  be 
kept  confidential  from  all  eavesdroppers. 

•  The  links  in  the  network  are  subject  to  non-cooperating  eavesdropping.  We 
model  each  link  as  a  general  discrete  memoryless  broadcast  channel,  p(yi0Zio\xio) 
for  each  (i,  o )  G  £,  where  Zi0  is  the  observation  of  the  eavesdropper  and  yi0  is  the 
observation  for  the  legitimate  node  o.  The  network  is  noiseless  if  each  DMBC 
(i,  o )  satisfies  xio  =  ylo  =  zlo.  Otherwise,  the  network  is  said  to  be  noisy. 

The  achievable  rate  tuple  (Rc,  Rp,  Re,io),  (i,o)  G  S,  is  defined  as  follows. 

Definition  7.  The  encoder- decoder  (f,fr,(p),  r  G  V,  r  /  u,d,  gives  rise  to  (n,  e)- 
transmission  over  the  network  Q  iff  for  every  s  G  S ,  t  G  T ,  the  encoder  f  :  S  x 
T  —>  (Xtn,i  G  Out(u)),  mapping  at  each  individual  node  fr  :  G  In(r)) 

(X™,i  G  Out(r)),  and  the  decoder  p  :  (ljn,  i  G  In(d))  S  x  T,  give  the  correct 
( s,t )  at  the  sink  node  with  probability  >  1  —  e. 

We  note  that  the  encoder-decoder  defined  above  also  include  all  mappings  at 
intermediate  nodes. 

Definition  8.  (Rc,  Rp,  Rey0),  (i,o)  G  S  is  an  achievable  rate  tuple  for  the  network 
iff  there  exists  encoder-decoder  (f,fr,p)  for  the  message  sets  Sn ,Tn  giving  rise  to 
(■ n ,  en) -transmission  with  en  — >  0,  such  that  for  (■ i ,  o)  G  S 

lim  —  log||(Sn||  =  Rc,  (4.1) 

n—¥ oo  n 
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(4.2) 


lim  -!og||7~'*||  =  Rp, 

n— >•  oo  Tl 

lim  -H(Sn\Z?)  >  Re,io,  (4.3) 

n—>  oo  fl 

Here,  Rc  is  the  confidential  message  rate  transmitted  over  the  network  between 
the  source  node  and  the  sink  node;  Rp  is  the  key  rate  and  the  key  itself  is  transmit¬ 
ted  along  with  the  confidential  message  through  the  network,  which  is  in  essence  the 
public  message  described  in  the  previous  chapter;  the  equivocation  rate  Re,io  mea¬ 
sures  the  ignorance  of  the  eavesdropper  on  link  (i,  o)  with  respect  to  the  confidential 
message;  Re^0  =  Rc  implies  perfect  secrecy  against  the  eavesdropper  on  link  (i,o). 
Here  we  comment  that,  since  each  link  in  the  network  is  subject  to  non-cooperating 
eavesdropping,  we  need  to  consider  equivocation  rates  for  all  links  in  the  network. 

4.2.1  Related  Work 

The  network  model  is  related  to  that  of  [13],  where,  instead  of  a  single  sink,  they 
studied  the  problem  of  multicasting  information  securely  to  multiple  destinations 
D  against  eavesdropping  A.  A  is  a  collection  of  edge  sets  and  the  eavesdropper 
has  complete  access  to  one  of  the  edge  sets,  while  his/her  choice  is  unknown  to  the 
transmitter.  [13,  Theorem  2]  specifies  the  conditions  under  which  it  is  possible  to 
obtain  an  admissible  linear  network  code  to  achieve  perfect  secrecy.  The  existence 
of  such  code  is  hard  to  verify  directly  from  [13,  Theorem  2];  instead,  a  more  explicit 
sufficient  condition  is  given  in  [13,  Theorem  3],  and  repeated  below. 
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Proposition  16.  [13,  Theorem  3]  The  message  S  hasn  —  k  bits  and  the  independent 
random  key  has  k  bits.  Let  Q*  =  (V,  £*),  where  S*  C  £,  be  a  subgraph  of  Q  satisfying 
the  following: 

1.  For  any  destination  d  C  D,  there  are  n  disjoint  paths  in  Q*  from  the  source 
node  u  to  the  sink  node  d  ,  where  the  paths  are  unit- capacity. 

2.  For  any  A  C  A,  there  are  at  most  k  disjoint  paths  in  Q*  from  the  source  node 
u  to  the  channels  in  A  C  S* . 

If  such  a  subgraph  Q*  exists,  then  there  exists  an  admissible  network  code  to  transmit 
the  message  S  with  perfect  secrecy. 

The  noiseless  case  of  the  present  model  is  also  related  to  the  celebrated  Max-flow 
Min-cut  theorem  [49,  55]  in  network  flow.  Assume  that  each  link  in  the  network  is 
noiseless  with  capacity  Clo,  (i,  o )  G  S.  The  Max-flow  Min-cut  theorem  can  be  stated 
as  follows. 

Proposition  17.  The  maximal  throughput  Cq  of  a  network  Q,  i.e.,  the  network 
capacity,  is 

Cc  =  E 

(i,o)e(ioycut 

where  Cut  is  defined  as  a  cut  of  this  network  [56],  which  splits  the  node  set  V  into 
two  disjoint  subsets:  a  source  subset  Ucut  and  a  sink  subset  T>cut,  where  u  G  Ucut 
and  d  G  T>cuti  (IO)lcut  ^  defined  as  the  edge  set  for  this  given  cut  Cut,  where  for 
j  lj  2,  •  •  •  ,  (i,  o') cuf  j  G  £ ,  icut,j  £  Ucut,  Ocut,j  G  * 
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4.3  Noiseless  Case 


We  first  consider  a  simple  yet  important  case  when  each  link  in  the  network  is  noiseless 
and  each  eavesdropper  has  a  verbatim  copy  of  the  message  transmitted  over  the 
corresponding  link.  As  such,  random  coding  will  not  be  useful.  Instead,  we  will 
exploit  the  route  diversity  in  the  network  in  order  to  achieve  the  desired  security:  the 
fact  that  the  source  may  have  multiple  independent  routes  to  the  destination  allows 
the  sender  to  encode  the  message  in  such  a  way  that  for  an  adversary  that  eavesdrops 
on  a  single  link,  it  will  gain  no  information  about  what  is  transmitted.  One  logical 
step  is  to  use  the  Ford- Fulkerson  algorithm  for  maximum  network  flow  to  obtain  a 
information  transmission  path  set  and  then  appropriately  encrypted  the  messages 
transmitted  over  this  path  set.  However,  different  paths  may  share  the  common  links 
and  protection  against  eavesdropping  over  those  shared  links  needs  to  be  carefully 
devised.  In  the  following,  we  give  an  achievable  rate  region,  obtained  by  imposing 
an  additional  constraint  on  the  structure  of  the  network.  Specifically,  we  assume  a 
planar  graph  [56],  meaning  that  the  graph  can  be  drawn  on  the  plane  in  such  a  way 
that  its  edges  intersect  only  at  their  nodes.  This  assumption  simplifies  the  proof  and 
is  also  a  meaningful  model  to  describe  real  computer  or  communication  networks. 

Theorem  13.  The  rate  tuple  for  a  planar  graph  network,  (Rc,  Rp,  Re,io),  ( i,o )  e  £, 
is  achievable,  if  there  exist  auxiliary  numbers  rlo  such  that 

rio  <  Cio,  (4.4) 
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(4.5) 


0  <  Tjo  <  Rc  +  Rp , 


0 

< 

Re,io  —  -^c? 

(4.6) 

0 

< 

Rc  +  Rv  <  min 

F  Cut 

I]  r'», 

(4.7) 

(i 

•o)e(ioycut 

R e,io 

< 

Rc  Rp  ^ io  • 

(4.8) 

We  can  provide  intuitive  interpretation  of  Theorem  13  below. 

1.  Tic  can  be  viewed  as  the  bits  transmitted  via  the  present  edge  (i,  o ). 

2.  Eq.  (4.4)  is  natural  as  the  transmitted  bits  can  not  exceed  the  present  edge’s 
capacity. 

3.  The  transmitted  bits  come  from  the  confidential  and  public  messages  and  thus 
can  not  exceed  the  total  rate,  which  results  in  Eq.  (4.5). 

4.  Eq.  (4.6)  is  obvious  as  the  equivocation  rate  Re  io  can  not  exceed  the  confidential 
message  rate  Rc  itself. 

5.  Eq.  (4.7)  implies  that  total  throughput  can  not  exceed  the  network  capacity 
according  to  the  celebrated  Max-flow  Min-cut  Theorem. 

6.  Eq.  (4.8)  implies  that  Re,io  is  bounded  by  the  bits  which  are  not  transmitted  via 
the  present  edge  (i,o).  To  be  more  precise,  the  rate  Rc  +  Rp  —  Ti0  can  be  further 
split  into  two  parts:  the  first  part  is  the  confidential  message  not  transmitted 
via  the  present  edge  (i,  o),  which  is  automatically  kept  perfectly  secret  from  the 
wiretapper  of  edge  (*,  o);  the  second  part  comes  from  the  public  message  that 
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is  not  transmitted  via  the  link  (i,  o )  which  will  serve  as  a  secret  key  for  the  bits 
transmitted  via  (i,o). 


Applying  perfect  secrecy  constraint  for  all  links,  i.e.,  Re,io  =  Rc  for  all  (i,o)  E  S, 
the  rate  region  reduces  to  the  following. 

Proposition  18.  A  rate  pair  (. Rc ,  Rp)  can  attain  perfect  secrecy  if 


VI 

o 

Rc  +  Rp<  min  ^2  rio , 

(4.9) 

(i,o)e(iO)lcut 

io  ^ 

r. 

KylO') 

(4.10) 

io  — 

Rpi 

(4.11) 

which  can  be  simplified  as 

0  ^  Rc  “1  Rp  ^  min  E  min(C,;0,  Rp). 

(i,o)e(iO)lcut 

We  defer  the  proof  of  Theorem  13  to  Section  4.4;  the  achievability  proof  provides 
an  intuitive  secure  coding  scheme  that  is  rather  easy  to  implement  and  intuitive  to 
understand.  In  the  following,  we  discuss  various  special  cases  of  our  main  result. 

4.3.1  Without  secrecy  constraint 

Not  surprisingly,  in  the  absence  of  secrecy  constraint,  Theorem  13  reduces  to  the 
well-known  Max-flow  Min-cut  theorem  for  a  single-source  single-sink  network  (see 
Proposition  17),  where  Rc  +  Rp  represents  the  entire  throughput  of  the  network. 
Thus  the  coding  scheme  would  indeed  achieve  optimal  throughput  in  the  absence 
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of  secrecy  constraint.  Our  result  actually  provides  an  alternative  expression  of  the 


Max-flow  Min-cut  theorem, 


0 

< 

T io  —  Rc  "P  Rpi 

(4.12) 

rio 

< 

Cioi 

(4.13) 

0 

< 

Rc  +  Rri  <  min  >  rlo. 

y  Z - ✓ 

(4.14) 

(i,o)e(ioycut 

4.3.2  Relationship  with  Cai  and  Yeung’s  result 

We  comment  that  Proposition  18  is  in  fact  consistent  with  the  result  in  [13]  (as 
repeated  in  Proposition  16). 

Specializing  Proposition  16  to  the  network  with  only  one  single  sink  and  restricting 

each  wiretap  edge  set  A  e  A  to  correspond  to  each  individual  link  in  the  network, 

the  subgraph  concept  in  Proposition  16  coincides  with  that  of  the  auxiliary  number 

Tjo  in  Proposition  181.  This  implies  Eq.  (4.10).  Now  that  the  network  has  totally 

min  rj0  disjoint  paths  each  with  unit  capacity,  it  is  therefore  easy  to  show 

(i,o)e(io)lcut 

that  conditions  1)  and  2)  in  Proposition  16  also  coincide  with  Eqs.  (4.9)  and  (4.11). 

Therefore,  the  result  of  Proposition  18  is  consistent  with  that  of  [13,  Theorem 

3]  when  reduced  to  a  single  sink  case.  However,  as  we  shall  see  from  the  following 

achievability  proof,  different  from  [13,  Theorem  3]  where  sufficient  condition  for  the 

existence  of  a  network  code  is  addressed,  we  will  provide  an  explicit  and  simple  code 
1The  idea  of  auxiliary  numbers  was  first  introduced  in  Yamamoto’s  treatment  of  secret  sharing 
communication  systems  [52]. 
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construction  for  secure  communication  over  networks. 


4.4  Achievability  Proof 

In  the  following,  we  give  the  proof  of  Theorem  13.  Our  proof  utilizes  the  so-called 
reduced  network  concept  (illustrated  in  Fig.  4.3(b)),  as  a  result  of  applying  the  Ford- 
Fulkerson  algorithm.  The  encryption  and  bit  routing  on  the  reduced  graph  occur 
over  virtually  parallel  paths  (reminiscent  that  of  [48]).  The  remaining  difficulty  is 
to  deal  with  the  case  when  common  edges  are  shared  by  neighboring  paths.  This  is 
accomplished  by  the  way  encoded  bits  are  distributed  to  the  paths  and  the  associated 
entropy  property  (c.f.  Lemma  7). 

4.4.1  Revisit  the  Ford-Fulkerson  algorithm 

Prior  to  the  achievability  proof,  we  first  revisit  the  Ford-Fulkerson  algorithm  which 
was  used  for  the  achievability  proof  of  the  Max-flow  Min-cut  theorem.  We  begin  with 
some  definitions. 

Definition  9.  In  a  directed  graph  Q ,  a  Path  is  a  sequence  of  edges  ei,  e<i,  ■  ■  ■  ,ei  such 
that  e\  G  Out(u),  e/  G  In(d),  and  for  1  <  i  <  l  there  exist  r.i  G  V  such  that  e%  G  /n(rj) 
and  ei+1  G  Outfrf). 

Definition  10.  Two  paths  share  an  edge  or  node  if  this  edge  or  node  is  contained  by 
two  paths.  Two  paths  are  different  if  one  path  contains  no  less  than  one  edge  that  is 
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(a)  Original  network 


(b)  Reduced  network 


Figure  4.3:  An  example  illustrating  the  achievability  proof. 

not  shared  by  the  other  path.  A  path  with  flow  amount  f  means  that  each  edge  of  this 
path  has  flow  f  and  thus  an  information  flow  with  total  amount  f  can  go  through  this 
pipeline  path  from  u  to  d. 

The  Ford-Fulkerson  algorithm  is  stated  below. 

1.  Set  i  —  1. 

2.  Find  any  path  from  the  source  node  to  the  sink  node  that  has  a  strictly  positive 
flow  capacity  remaining  in  each  edge.  If  there  is  no  such  path  left,  exit. 
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3.  Determine  /*,  the  maximum  flow  along  this  path,  which  will  be  equal  to  the 
smallest  flow  amount  on  any  edge  in  the  path  (the  bottleneck  edge). 

4.  Store  this  path  as  Pathi  with  flow  amount  ft . 

5.  Subtract  /)  from  the  remaining  flow  capacity  in  the  forward  direction  for  each 
edge  in  the  path.  Add  /,;  to  the  remaining  flow  capacity  in  the  backwards 
direction  for  each  edge  in  the  path. 

6.  Set  i  —  i  +  1.  Go  to  step  2). 

The  Ford- Fulkerson  algorithm  is  a  ‘greedy’  approach  to  find  a  set  of  paths  such  that 
on  termination,  the  sum  of  the  flows  along  those  paths  gives  the  maximal  total  flow 
between  the  source  and  the  sink  nodes.  This  path  set  constitutes  the  so-called  reduced 
network,  which  has  the  following  properties. 

1.  The  graph  of  the  reduced  network  is  the  same  as  that  of  the  original  network 
except  possibly  that  some  edges  of  the  original  network  are  missing  (with  0  flow 
amount) . 

2.  Each  edge  in  the  reduced  network  has  a  flow  amount  equal  to  or  less  than  the 
capacity  of  the  corresponding  edge  in  the  original  network. 

3.  The  sum  flow  amounts  of  the  input  and  output  edges  of  any  node  in  the  reduced 
network  are  equal.  The  sum  flow  amount  from  the  source  subset  to  the  sink 
subset  for  any  cut  in  the  reduced  network  is  equal  to  the  min-cut  value  of  the 
original  network. 
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The  following  proof  utilizes  this  reduced  network. 


4.4.2  Proof  of  Theorem  13 

In  this  present  section,  we  adopt  an  algorithmic  approach  to  prove  the  achievability 
of  Theorem  13.  As  we  shall  see,  the  proof  itself  provides  an  explicit  and  efficient 
method  comprising  of  encoding,  decoding,  and  bit  routing  for  secure  communication 
over  a  noiseless  network. 

To  simplify  the  proof,  we  assume  that  the  plane  graph  is  bounded  in  the  2D  plane, 
as  illustrated  in  Fig.  4.3.  The  result  can  be  extended  to  unbounded  case  by  a  simple 
manipulation  of  the  bit  sequences.  For  convenience,  we  introduce  a  virtual  edge  In(u) 
flowing  into  the  source  node  u  and  a  virtual  edge  Out(d)  flowing  out  of  the  sink  node 
d  for  this  bounded  graph. 

We  construct  a  code  according  to  the  following  three  steps. 

Step  1  Convert  the  uniformly  distributed  message  variables  Sn  and  Tn  into  i.i.d. 
Bernoulli (|)  binary  sequences  b  :  61;  •  •  *  ,  bnRc  and  k  :  ki,  ■  ■  ■  ,  knRp. 

Step  2  Pre-process  the  bit  sequences  b  and  k  by  modulo  addition. 

Step  3  Assign  the  processed  bits  to  the  paths  in  the  reduced  network  in  a  proper 
way  to  ensure  reliable  and  secure  delivery  to  the  destination. 

Step  1  converts  the  present  problem  to  binary  case  where  one-time  pad  can  be  eas¬ 
ily  implemented  by  X OR  (or  modulo  2  addition).  Steps  2  and  3  are  further  elaborated 
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below. 


Step  2  The  modulo  2  sum  of  the  two  binary  sequences  b,  k  results  in  the  encoded 
bit  sequence  c  defined  as, 

{ci,  C2,  '  '  '  ,  Cn^c_|_n/Jp }  {^1)  1  k nRp j  ^1  ©  62  ©  k'2 *  1  bnRp  ©  knRpl 

Krp+ 1  ©  ki,  bnRp+ 2  ©  k2,  ■  ■  ■  ,  bnR c_i  ©  k(nRc- i)nRp, 

bnRc  ©  k(nRc)nRp  } 

where  (a)&  denotes  a  modulo  6.  Thus  c  is  a  length  n(Rp  +  Rc)  sequence  with  the 
header  bits,  i.e.,  the  first  nRp  bits,  corresponding  to  the  public  message  bits  (key 
bits)  and  the  rest  of  the  sequence  obtained  by  repeatedly  (if  Rp  <  Rc)  using  the  key 
bits  k  to  encrypt  (modulo  2  sum)  the  confidential  message  bits  b.  If  Rp  >  Rc,  each 
key  bit  will  be  used  at  most  once  in  the  encryption  process.  The  encoded  sequence 
has  the  following  property. 

Lemma  7.  The  conditional  entropy  of  b  given  any  contiguous  length-r  (r  <  n(Rc  + 
Rp) )  segment  of  the  bit  sequence  c,  say,  Cj,  Cj+i,  •  •  •  ,  Cj+r-i,  satisfies 

H(  b|  Cj,  Cj+ 1,  •  •  •  ,  Cj+r- 1)  =  min(ni?c,  n(Rc  +  Rp)  —  r ). 

Lemma  7  can  be  easily  proved  by  simple  calculation,  which  is  given  in  the  ap¬ 
pendix  (Section  4.8.1). 

Step  3  Due  to  Lemma  7,  the  desired  secrecy,  Eq.  (4.8),  is  attained  as  long  as  it 
can  be  guaranteed  that  any  bit  sequence  assigned  to  every  link  in  the  network  is  a 
contiguous  segment  from  c.  Essentially,  the  solution  is  to  construct  a  set  of  virtually 
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parallel  paths  in  the  network,  which  should  also  achieve  the  maximal  throughput. 
This  is  illustrated  in  Fig.  4.3(c).  Given  such  a  virtually  parallel  path  set,  assigning 
the  bit  sequence  c  successively  to  those  paths  would  automatically  achieve  the  rate 
equivocation  region  described  in  Theorem  13. 

In  order  to  study  the  virtually  parallel  path  set,  we  give  the  formal  definition  of 
the  path  order  for  the  bounded  plane  graph. 

Definition  11.  A  path  A  is  higher  in  order  than  a  path  B  iff  for  any  node  r  shared 
by  A,B,  the  input  and  output  edges  of  A,  B  at  node  r  are  clockwise  ordered  as 
{Ai,  A0,  Ba,  Bi}.  Conversely,  a  path  A  is  lower  than  a  path  B  iff  the  edges  are  ordered 
as  {Bi,  Ba,  A0,  Ai} .  The  paths  A  and  B  are  said  to  crossover  (i.e.,  unordered )  if  the 
path  A  is  neither  higher  nor  lower  than  the  path  B.  Thus,  for  an  ordered  path  set, 
there  exists  no  crossover  path  pair  in  the  set. 

The  examples  are  shown  in  Fig.  4.4.  Alternatively,  two  paths  are  ordered  (parallel) 
if  there  exists  a  line  in  the  plane  connecting  the  source  and  sink  that  separates  these 
two  paths. 

Definition  12.  An  edge  e  =  (i,o)  is  higher  than  a  path  A  iff  there  exist  a  path  B  in 
the  network,  which  contains  the  edge  e  and  is  higher  than  A. 

With  the  above  definitions,  we  have  the  following  lemmas. 

Lemma  8.  An  ordered  path  set  (from  the  highest  path  to  the  lowest  path)  can  be 
constructed  for  information  flow  in  a  bounded  plane  graph,  if  the  flow  amount  is  no 
more  than  the  min-cut  value  of  this  graph. 
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A0  4* 


(a)  Parallel  Paths 


Out(d ) 
(Aa,  Ba ) 


(b)  Crossover  paths 


Figure  4.4:  Examples  for  parallel  and  crossover  path 

Lemma  9.  Only  the  paths  with  successive  order  can  share  common  edges,  i.e.,  Pathi 
and  Pathk  can  not  share  any  edge  which  is  not  contained  in  Pathj  when  i  <  j  <  k. 

Lemma  8  can  be  proved  by  a  slight  modification  of  the  Ford- Fulkerson  algorithm 
while  Lemma  9  can  be  established  by  definition.  The  proofs  are  illustrated  in  the 
appendix  (Sections  4.8.2  and  4.8.3). 

To  complete  the  coding  scheme,  we  would  assign  the  bit  sequence  {ci,  c2,  •  •  •  ,  cnRc+nRp} 
to  the  ordered  path  set  successively.  This  achieves  the  min-cut  value  according  to 
Lemma  8;  as  such,  Eq.  (4.4,  4.5,  4.7)  hold.  Then  by  Lemma  9,  it  can  be  shown  that 
bits  flowing  in  each  edge  (i,o)  G  £  would  be  a  contiguous  segment  of  the  bit  sequence, 
say,  Cj,  Cj. |_i,  •  •  •  ,  Cj+nr>  i ,  where  r'io  <  rio.  Finally  by  Lemma  7,  we  can  ensure  that 
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the  equivocation  rate  with  min (nRc,n(Rc  +  Rp)  —  nr'io)  >  min (nRc,n(Rc  +  Rp)  — nri0 ) 
bits  can  be  obtained  for  link  (i,o),  which  means  Eqs.  (4.6,  4.8)  are  satisfied.  This 
completes  the  proof  of  Theorem  13. 

4.5  Noisy  Case 

The  following  result  is  for  the  case  where  the  links  in  the  network  are  noisy,  which 
generalizes  Theorem  13. 

Theorem  14.  The  rate  tuple  for  a  planar  graph  network,  (Rc,  Rp,  Re,io),  ( i,o )  G  £, 
is  achievable,  if  there  exist  auxiliary  numbers  rio  and  random  variables  Uio  Vlo  — > 
Xio  YioZio  such  that 


0 

< 

r io  —  Rc  Rp, 

(4.15) 

0 

< 

Re,io  —  Rc, 

(4.16) 

0 

< 

Rc  +  Rp  <  min  rio, 

Cut  ^ 

(i,o)e(ioycut 

(4.17) 

rio 

< 

Yio\Uio)  +  mm(I(Uio-  Yio),I(Uio ;  Zio)), 

(4.18) 

Re,io 

< 

\I{Vio',  Yi0\Uio)  —  Iiyio-  Zio\Ui0)]+  +  Rc  +  Rp  —  r. ia. 

(4.19) 

From  Eq.  (4.19),  we  can  see  that  each  individual  equivocation  rate  Re,io  is  now 
bounded  by  the  sum  of  the  excess  capacity  [/(V)0;  Yi0\Ui0)  —  /(V)0;  Zi0\Ui0)]+  of  the 
main  channel  over  the  wiretap  channel  in  DMBC  (i,  o)  and  the  bits  Rc+Rp  —  rio  which 
are  not  transmitted  via  the  present  DMBC.  This  implies  that  our  presented  routing 
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scheme  for  noiseless  network  and  random  coding  over  noisy  channel  contribute  to  the 
equivocation  rate  in  an  additive  manner. 

4.5.1  Proof  of  Theorem  14:  noisy  case 

With  noisy  links  in  the  network,  we  propose  a  decode- and- forward  coding  scheme  to 
achieve  the  rate  equivocation  region  stated  in  Theorem  14.  Specifically,  we  shall  apply 
random  coding  over  the  wiretap  channel  (see  [3]  or  Section  3.4)  for  each  edge,  and  the 
intermediate  relay  nodes  are  required  to  decode  and  then  re-encode  the  transmitted 
message  bits,  where  the  bits  assignment  over  each  edge  is  according  to  the  noiseless 
routing  scheme  presented  in  the  previous  section. 

For  each  edge,  we  use  random  coding  for  the  corresponding  bit  sequence  trans¬ 
mitted  over  the  current  link,  i.e.,  rto.  Then  Eqs.  (4.15)  and  (4.17)  are  satisfied  due 
to  the  decode- forward  scheme  and  the  noiseless  routing  scheme,  and  Eq.  (4.18)  is 
established  since  the  random  coding  scheme  is  applied  to  each  edge. 

It  remains  to  check  Eq.  (4.19),  and  the  other  inequalities  in  Theorem  14  are 
straightforward  to  prove.  Before  applying  random  coding,  we  first  convert  the  as¬ 
signed  bit  sequence.  For  simplicity,  assume  that  an  edge  (i,  o)  is  required  to  trans¬ 
mit  S[  =  (&i  ©  k,  b-2  ©  k).  This  sequence  is  then  converted  to  the  sequence,  S"  = 
(&i  ©  k,  b2  ©  bi)  as  they  are  one-one  correspondence.  We  then  apply  random  coding 
to  the  sequence  by  protecting  the  b\  ©  b2  part,  as  illustrated  in  Fig.  4.5. 
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I(Vio-,Yio\Uio)  -  I(Vio-Zio\Uio) 

Figure  4.5:  A  simple  example  illustrating  the  decode-and-forward  and  random  coding 
scheme. 

Thus  by  defining  Si  =  (bi,  b2)  and  S  =  (Si,  S2)  we  have, 

H(S\ZZ)  =  H(SuS2\Zl) 

=  H(S1\ZZ)  +  H(S2\S1,ZZ) 

=  H(S1\Zl)  +  H(S,) 

=  5,|Z”): -  H(S';\SlZZ)  +  H(S2) 

=  H(S"\ZZ)  +  HiS^S!,  Zl)  -  H(Sl;\S1ZZ )  +  H(S2) 

=  h(s';\zz)  +  ff(Si|s;')  -  ffwisiz”)  +  /f(s2) 

=  H(S';\Z«)  -  h(s';\s,zz)  +  ff(s2, s.isn 
=  -  if  (SI'ISiZ”)  +  +  Rc-  rio) 

(5) 

>  H(S';\Z?0)  +  n(Rp  +  Rc-ri0)-en 

(6) 

>  n(I(Vio-  Yio\Uio)  -  I  (Via ;  Zio|C/io))  +  n(Rp  +  Rc  -  rio)  -  en. 

(1)  and  (3)  hold  since  S2  is  independent  of  Si  and  K  and  thus  also  independent 
of  S"  and  Z”. 

(2)  holds  since  Si  — >  S"  — >  Z™0  forms  a  Markov  chain. 

(4)  holds  since  H(S2,  Si|S")  =  H(S2 ,  Si|S()  =  n(Rp  +  Rc  —  Ti0)  by  Lemma  7. 
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(5)  holds  due  to  the  random  coding  property  (Proposition  10)  that  Zff0S\  can 
determine  S"  with  an  arbitrarily  small  error  probability. 

(6)  holds  since  ±H(S"\Z£)  >  I(Vio;  Yio\Uio)  - I(Vio;  Zio\Uio )  as  proved  in  the  direct 
part  proof  in  [3]. 

From  the  above  analysis,  we  know  the  random  coding  and  key  encryption  can 
contribute  to  the  equivocation  in  an  additive  manner.  This  completes  the  proof  of 
noisy  case. 


4.6  Special  Case:  Parallel  Links 

When  specializing  the  network  to  one  that  is  composed  of  m  parallel  paths,  we  can 
prove  that  the  achievable  region  described  in  Theorem  14  is  indeed  tight.  Here  the 
parallel  path  network  concept  is  defined  as  that  the  Ford- Fulkerson  algorithm  can 
lead  to  a  reduced  network  in  which  no  two  paths  share  a  common  edge.  A  special 
case  of  such  network  is  one  in  which  all  intermediate  nodes  (i.e.,  except  for  the  source 
and  sink  nodes)  has  only  one  incoming  edge  and  one  outgoing  edge,  as  illustrated  in 
Fig.  4.6. 

For  simplicity,  we  introduce  a  different  notation  for  an  edge  (i,  o )  in  a  parallel  path 
network.  Given  a  m  parallel  path  network,  we  define  the  link  set  in  the  jth  parallel 
path  as  Ij  =  (lj,  2j,  •  •  •  ,  Lj),  j  G  (1,  2,  •  •  •  pm).  Thus  a  valid  cut  for  this  network  is 
Cut  :  (ij),j  —  1,  2,  •  •  •  ,  m  with  ij  e  Ij. 

Theorem  15.  The  rate  tuple  for  a  m  parallel  path  network,  (Rc,  Rp,  Re,ij),  ij  £  Ij 
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Figure  4.6:  An  example  of  m  =  3  parallel  path  network,  where  ij  means  the  ith  link 
of  the  jth  path. 


with  j  G  (1,  2,  •  •  •  ,  m),  is  achievable,  iff  there  exist  auxiliary  numbers  rl;j  and  random 
variables  V{.  — *  — >•  1 Z,  sttc/t  £/ta£ 


0  <  r i .  <  Rc  + 


0  <  iL  i,  <  i?c, 


0  <  i?c  +  i?D  <  min  )  r, . , 

-  C  P  -  Cat  ^  %  ’ 


j=l 


A,  <  /(^syiJ^J  +  min^;^.),/^.;^.)), 


<  [I(Vij]Yipi.)-I(Vij;Zij\Uij)}+  +  Rc  +  Rp-rij, 


Proof.  The  direct  part  is  proved  by  specializing  Theorem  14  to  the  parallel  path 
network.  The  converse  proof  is  in  the  appendix  (Section  4.8.4).  □ 


4.6.1  The  m  parallel  channel  model 

In  this  subsection,  we  further  specialize  the  m  parallel  path  network  to  m  parallel 
channel  model,  which  is  illustrated  in  Fig.  4.7.  The  difference  with  an  m  parallel 
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path  network  is  that  we  now  assume  each  path  consists  of  a  single  hop  channel 
between  the  source  and  the  sink  with  no  intermediate  nodes.  Studying  this  m  parallel 


Figure  4.7:  The  m  parallel  channel  model. 

channel  model  is  of  great  interest  as  it  accurately  models  many  existing  systems.  One 
example  is  in  a  wideband  system,  e.g.,  a  multi-band  multi-carrier  system  whereas  the 
eavesdropper  is  limited  to  a  narrowband  receiver.  Thus  the  rate  equivocation  region 
of  the  parallel  channel  model  can  shed  light  on  any  advantages  that  such  systems 
may  offer  and  what  is  its  potentially  optimal  coding  scheme. 

Denote  by  7 Zm  as  the  rate  equivocation  region  of  the  m  channel  system.  Special¬ 
izing  Theorem  15  to  the  m  parallel  channel  model,  we  have  the  following  theorem. 

Theorem  16.  (Rc,  Rp ,  Re i,  •  •  •  ,  Rem)  £  R m  iff  for  J  £  (l,2y-  ,  m)  there  exist  aux- 
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iliary  numbers  rj  and  random  variables  Uj  — >•  Vj  — >•  X )  — >  hjZj  such  that  the  con¬ 
ditional  distribution  of  Yj  (respectively  Zj)  given  X3  is  determined  by  corresponding 
channel  and 


0 

< 

Rc  +  Rp  ^ 

m 

j= i 

(4.20) 

0 

< 

Rej  ^  Rc, 

(4.21) 

0 

< 

T j  ^  Rc  ~h  Rp , 

(4.22) 

r3 

< 

HVf.YjlU,] 

Z,)), 

(4.23) 

Rej 

< 

IWr,  m, 

)  —  ;  Zj\Uj)]+  +  -Rc 

+ 

1 

-i 

(4.24) 

4.6.2  Noiseless  channels 

By  assuming  noiseless  channels  in  Theorem  16,  we  can  obtain  the  rate  equivocation 
region  for  a  system  with  multiple  parallel  noiseless  channels,  each  with  capacity  Cj, 
j  =  lt  ,>  •  ,  m. 

Proposition  19.  For  a  noiseless  m  parallel  channel  model,  7 Zrn  is  a  closed  convex 
set  consisting  of  rate  tuples  (Rc,  Rp,  Rej),  j  —  !,•••,  m,  satisfying 


m 


0 

< 

Rc  +  Rp  ^  ^  ^  v* j , 

(4.25) 

3= 1 

0 

< 

Rej  —  ? 

(4.26) 

0 

< 

T'j  ^  Rc  ~h  Rp  5 

(4.27) 

r3 

< 

Cj, 

(4.28) 

Rej 

< 

Rc  Rp  —  v  j . 

(4.29) 
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For  perfect  secrecy  system,  i.e.,  by  setting  Rej  —  Rc  for  j  —  1,  •  •  ■  ,  m,  we  have  the 
following  result. 

Proposition  20.  A  rate  pair  (Rc,  Rp)  can  attain  perfect  secrecy  if  and  only  if 

m 

0  <  Rc  +  Rp  <  min(Cj,  Rp). 

3= i 

Consider  now  the  problem  of  maximizing  Rc,  i.e.,  one  want  to  maximize 

m 

Rc  =  min(C'j,  Rp)  —  Rp 

3= 1 

over  all  non-negative  Rp.  It  is  easy  to  show  that  Rc  would  be  a  piecewise  linear  and 
concave  function  of  Rp.  This  is  illustrated  in  Fig.  4.8. 


Figure  4.8:  Rc  vs  Rp  figure  with  four  parallel  channels,  whose  capacities  are  0  <  C\  < 
C2  <  C3  <  C4.  The  maximum  perfectly  secure  throughput  is  max  Rc  =  C\  +  C2  +  C3. 

As  a  result,  for  the  m  channel  case,  the  maximum  perfectly  secure  throughput 
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can  be  attained  using  the  following  simple  scheme.  Set  Rp  =  ma Xj{Cj},  i.e.,  choose 
the  link  with  the  largest  capacity  to  transfer  the  public  message.  All  other  m  —  1 
links  implement  the  one-time  pad  scheme  where  the  secret  key  comes  from  the  public 
message,  achieving  a  total  secure  throughput  of 

m 

max  Rc  =  C,  —  max  {(A,}  (4.30) 

i= 1  3 

Perfect  secrecy  comes  from  the  condition  that  Rp  =  niaxJ{C'7}  >  Cj  for  j  —  1,  •  •  •  ,  m. 
As  with  the  two  channel  case,  Rp  serves  precisely  the  role  of  the  secret  key  for  the 
m  —  1  channels  that  implement  the  one-time  pad  scheme.  More  interestingly,  this 
simple  and  intuitive  scheme  is  actually  shown  to  be  optimal,  according  to  Theorem  16. 

4.6.3  Gaussian  channel 

The  result  can  also  be  extended  to  the  case  of  parallel  Gaussian  broadcast  chan¬ 
nels.  Such  model  describes,  for  example,  a  multiband  frequency  hopped  orthogonal 
frequency- division  multiplexing  (OFDM)  system  where  a  eavesdropper  with  a  nar¬ 
rowband  receiver  can  not  simultaneously  monitor  the  entire  frequency  band.  The 
signal  model  for  the  jth  sub-channel  is, 

\rn  _  yn  .  s~in 

Yj  ~  Aj  +LrYj, 

Z?  =  X^  +  Gnzp 

where  the  noise  vectors  Gy3 ,  GnZj  are  independently  and  identically  distributed  with 
GYji  rs./  Nij)  and  G zji  ^  -^2j)  respectively,  with  i  —  1,  •  •  •  ,  tl.  We  assume, 
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for  now,  individual  power  constraint  for  each  sub-channel: 


Define  C'(-)  as 


1 

n 


Y,ma)<Pr 

i= 1 


C{x) 


1 

2 


log  (1  +  x) , 


the  rate  equivocation  region  is  given  in  the  following  proposition. 


Proposition  21.  For  a  Gaussian  m  sub-channel  system,  1Zm  is  a  closed  convex  set 
consisting  of  those  rate  groups  (. Rc ,  Rp,  Ref)  satisfying, 


0  <  Rc  +  Rp  <  rj, 

j= i 

0  <  Rej  <  Rc , 


0  <  Tj  <  Rc  +  Rp, 


Rej  < 


c  I  -Zl)  -  C  (  Pj 


N- 


N2j 


+  l?c  +  —  r j. 


(4.31) 

(4.32) 

(4.33) 

(4.34) 

(4.35) 


Consider  now  the  total  power  constraint  case,  i.e., 

m  1  n 

E  -  E  e<a'j-)  s R  <4A6) 

3= 1  *=1 

The  interesting  problem  is  to  study  the  optimal  power  allocation  strategy  to  achieve 
the  maximum  perfectly  secure  throughput  Rc  subject  to  the  total  power  constraint 
(Eq.  (4.36)).  We  now  prove  that  this  is  a  convex  optimization  problem. 
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Proposition  22.  For  a  Gaussian  m  sub-channel  system  with  a  total  power  con¬ 
straint,  finding  the  optimal  power  allocation  that  achieves  maximum  perfectly  secure 
throughput  can  be  reduced  to  the  following  convex  optimization  problem. 


max 

p 


(  -5-^  —  max C  (  P] 


0= 1 


Nij 


N* 3 


(4.37) 


where 


subject  to  <  p 

3= 1 


N'2j  ±  N2j),  P^(Pi,---,Pm). 


Proof.  Set  Rej  =  Rc  in  Proposition  21,  the  maximal  Rc  can  be  expressed  as 


max  Rr  =  max  >  min  G 

Rp.P  R-.P  ^  I  1 


Rp,P  Z- 

3= 1 


P 


N- 


il 


C'  (  -§-"1  -  C  ^ 


^n 


n2j 


"i" 


=  max 


(min  (c 


pA:Cf  pi 


N, 


1 3 


N- 


1 3 


c  I 

JV2  1 


P, 


=  max  max 
p  Rv 


=  max  max 


^2  ( min  ( C  ( ,  C  ( S1-)  -  c  ( - -5-  )  +  Rv  )  )  -  Rr 


0=1 

m 


n13 


N- 


1 3 


N23 


P  R* 


■v 


EG1  P‘ 


o=i 


Ni 


1 3 


C  |  ^  +  ^2  min  (C  ( -AFT  )  >  Rp  I  -  Rn 

i=i  v  VV 


(i) 


max 

p 


N23 


St©-0''1 

maxi  EC(w~)  ~m?xC(w 


ec(4)-?c(I 


1=1 


2i 


21 


0=1 


11 


21 


where  (1)  follows  from  the  result  for  the  noiseless  case  (c.f.  Eq.  (4.30)),  i.e.,  for  the 
maximization  problem 


max 

Rv 


0  =  1 


p. 


21 


f|  -^P  I  » 
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the  optimal  solution  corresponds  to 


Rp  =  max  Cj 


max  C 

3 


and  the  obtained  maximum  is 


Ec 


3= 1 


max  C 

3 


Thus  it  remains  to  maximize  the  following  objective  function, 


Ec 


3= 1 


—  max  C 

3 


To  prove  the  concavity  of  this  objective  function, 


where, 


Thus 


N. 


2  j 


C  (  )  —  C  (  jj f- )  is  concave  by  directly  computing  the  second  order  derivative. 


E(c'  Pi 


3= 1 


N- 


1 3 


c 


A 

N23 


is  also  concave. 

m-i  ,  p  x 

C  I  — y-  |  is  a  concave  function  of  P,  and  due  to  the  fact  that  pointwise 
minimum  preserves  the  concavity  [57,  Chapter  3],  we  know 

m—  1 


mm 


EC# 


i= 1 


Nk 


1  <  Jl  <  .72,  •  •  •  ;  jm—1  <  m 
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is  also  concave. 


Since  the  above  objective  function  is  concave  in  the  power  constraint  vector  P  and  the 
parameter  P  is  also  defined  on  the  convex  set  specified  by  Eq.  (4.36),  the  optimization 
problem  is  thus  a  convex  optimization  problem.  □ 

Therefore,  the  standard  optimization  algorithms  [57]  can  be  applied  to  efficiently 
find  the  global  optimum  of  the  power  allocation  strategy. 

4.6.4  Illustration  using  the  deterministic  model 

In  this  subsection,  we  use  deterministic  models  to  illustrate  the  above  results  for 
the  BCCP  model,  the  key  enhanced  BCCP  model,  and  the  m  sub-channel  model 
under  the  Gaussian  channel  assumption.  This  illustration  is  largely  inspired  by  recent 
work  reported  in  [58-60]  and  are  used  to  give  intuitive  explanation  on  how  the  rate 
equivocation  region  can  be  attained. 

Using  the  approximation  of  capacity  by  channel  gain  under  high  SNR  regime  [59], 
we  have  the  approximated  capacities  for  the  Gaussian  channels, 

Ci  ps  nt  -H-  [log  SNRf\,  i  =  1,2. 

The  deterministic  model  for  a  Gaussian  wiretap  channel  (GWC)  is  illustrated  in 
Fig.  4.9(a),  where  the  main  channel  capacity  is  ri\  =  3  and  the  wiretap  channel 
capacity  is  n2  =  2.  Now  that  three  bits  of  the  confidential  message  (Square  #1-3) 
are  to  be  transmitted  via  this  broadcast  channel,  Fig.  4.9(a)  shows  that  the  two  most 
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Figure  4.9:  Pictorial  representation  of  the  deterministic  model  for  GWC,  key  en¬ 
hanced  GWC,  and  Gaussian  m  sub-channel  system. 


Ill 


significant  bits  (MSB)  (Square  #1-2)  can  be  decoded  by  the  wiretap  channel,  while 
the  one  least  significant  bit  (LSB)  (Square  #3)  can  not  be  seen  since  it  falls  below 
the  noise  level  at  the  wiretapper.  Thus,  one  bit  information  is  totally  protected  from 
the  wiretapper.  The  achieved  secrecy  capacity  is  n  \  —  ri2  =  1,  which  coincides  with 
the  theoretical  result  of  the  Gaussian  wiretap  channel  [9],  i.e.,  the  secrecy  capacity  is 
the  difference  between  the  capacities  of  the  main  channel  and  the  wiretap  channel. 

Fig.  4.9(b)  represents  the  secret  key  enhanced  Gaussian  wiretap  channel.  Assume 
a  2  bit  secret  key  (Triangle  #1-2)  is  known  to  the  transmitter  and  the  legitimate 
receiver,  but  unknown  to  the  wiretapper.  If,  for  each  transmission,  we  pre-process 
the  2  MSB  (Square  #1-2)  by  a  modulo  2  sum  operation  with  the  2  bit  secret  key, 
then  these  3  bits  are  all  unknown  for  the  wiretap.  Thus,  a  total  of  3  bits  are  kept 
secret  against  the  wiretapper.  The  secrecy  capacity  is  ri\  —  ri2  +  Rp  =  3,  thus  the 
effect  of  the  secret  key  on  the  equivocation  rate  is  in  an  additive  manner. 

Fig.  4.9(c)  illustrates  a  two  parallel  sub-channel  system.  Suppose  two  identical 
GWCs  are  available,  with  ri\  =  3  and  n-2  =  2.  Only  two  secret  bits  per  channel  use 
can  be  obtained,  one  from  each  sub-channel,  if  we  communicate  independently  over 
these  two  parallel  channels,  ffowever,  if  there  are  in  addition  two  bit  public  message 
(Triangle  #1-2),  then  a  total  of  two  bits  can  be  completely  protected  against  any 
of  the  the  two  wiretapper  (but  not  both).  To  illustrate  how  to  attain  this  four  bit 
secrecy  rate,  from  Fig.  4.9(c),  one  bit  confidential  message  (Square  #4)  and  two  bit 
public  message  (Triangle  #1-2)  are  transmitted  via  channel  1.  The  wiretapper  of 
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channel  1  does  not  know  any  information  about  the  confidential  message  since  the  1 
bit  confidential  message  is  the  LSB  and  falls  below  the  noise  level  for  the  wiretapper. 
For  channel  2,  all  three  bits  are  communicated  as  the  confidential  message:  the  LSB 
is  protected  clue  to  channel  noise  while  the  two  MSB  (Square  #1-2)  are  encrypted 
using  the  two  bits  of  public  message.  Thus  the  two  bit  public  message,  transmitted 
via  channel  1,  serves  as  a  secret  key  for  channel  2.  In  summary,  a  total  of  six  bit 
throughput  is  achieved  during  each  transmission,  of  which  two  bits  correspond  to  a 
public  message  and  four  bits  correspond  to  a  confidential  message  that  is  completely 
protected  from  each  individual  wiretapper. 

4.7  Summary 

In  this  chapter,  we  studied  secure  communication  over  a  single-source  single-sink 
acyclic  planar  network  with  possibly  noiseless  or  noisy  links.  An  achievable  rate 
equivocation  region  was  derived  which  admits  a  constructive  proof  approach.  The 
result  is  consistent  with  that  of  secure  network  coding  in  [13].  On  the  other  hand, 
our  achievability  proof  provides  a  secure  communication  scheme  that  is  both  intuitive 
and  easy  to  implement.  The  achievable  rate  equivocation  region  also  reduces  to 
known  result  for  various  special  cases.  In  particular,  when  the  communication  network 
reduces  to  non-overlapping  parallel  links,  the  proposed  encoding  scheme  is  optimal. 
The  specific  coding  scheme  to  achieve  the  maximal  perfectly  secure  throughput  was 
also  discussed  for  both  noiseless  and  Gaussian  m  sub-channel  systems. 


113 


4.8  Appendix 


4.8.1  Proof  of  Lemma  7 

For  simplicity,  we  only  consider  a  sequence 

{kj+i,  kj+ 2,  •  •  •  ,  knRp,  bi®ki,b2®k2,'--  ,  Krp  ©  knRp, 
bnRp+i  ©  ki ,  bn Rp+2  ©  k2)  i  bnRp+i  ©  k{y , 

which  is  a  quite  general  segment  sequence.  The  derivation  of  its  conditional  entropy 
is  shown  as  in  Eq.  (4.38).  Following  the  similar  light,  we  can  prove  Lemma  7  is  true 
for  any  other  possible  segments. 

H(bi,  ’  *  bnRc | k3+ 1 ,  ,  knRp,  b\  ©  Aq,  ,  bnRp  ©  knRpl 


frnijp  +  l  ©  ^1;  •  •  • 

H  {bnRp+i+ 1, 

•  j  knRp ,  6i  ©  /?! ,  * 

•  •  j  bnRp  ©  knRp 

^nRp+1  ©  &1,  '  '  ' 

5  ffi 

+if  (&lj  •  • '  ,  bnfi 

^p+il^n-Rp+i+lj  * 

)  bnRc  ■>  kj+ 1, 

■  ,jnRp,b 1  ©  All, 

bnRp+ 1  ©  ^1,  •  •  • 

5  ^7li?p+2  © 

=  nRc  -  -  i  +  if  (&i,  •  •  •  ,  6ni?p+i|fcj+i, '  •  *  ,  knRp,  &i  ©  kt,  •  •  •  ,  bnRp  ©  knRp, 

bnRp+l  ©  k\  j  ,  ©  ki) 

=  nRc  -  nRp  -  i  +  H(b i,  •  •  •  ,  bj \kj+1,  •  •  •  ,  fcnRp,  &i  ©  fci,  ■  ■  ■  , bnRp  © 

^nijp  +  l  ©  kl,  ,  bnRp-\-i  ©  ki) 

+if  (&j+i)  j  j  bj ,  ,  knRpl  b\  ©  A i ,  ,  bnRp  ©  knRpl 
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bnRp+1  ©  kh  '  ‘  i  bn.Rp+i  ©  k{j 

=  nRc  -  nRp  -  i  +  H(bh  •  •  •  ,  bj\kj+1,  ■■■  ,  knRp,  bx  ©  kx,  ■  ■  ■  ,  bnRp  ©  knRp, 

bnRp+l  ©  k  1 ,  ,  bnRp+i  ©  ki) 

=  nRc  —  nRp  —  i  +  j  =  n(Rc  +  Rp)  —  r.  (4.38) 

4.8.2  Proof  of  Lemma  8 

To  prove  Lemma  8,  an  iterative  algorithm  is  applied  to  construct  the  ordered  path 
set.  Its  main  idea  is  to  carefully  bookkeep  the  flows  assigned  to  the  ordered  paths 
from  the  source  node  to  the  sink  node.  This  is  in  essence  a  modified  version  of  the 
Ford- Fulkerson  algorithm  for  finding  network  capacity. 

We  assume  that  the  flows’  amounts  assigned  to  the  edges  are  already  determined 
to  achieve  the  network  capacity,  i.e.,  we  only  need  to  consider  the  reduced  network  as 
a  result  of  applying  the  Ford- Fulkerson  algorithm  to  the  original  network.  We  then 
apply  the  following  iterative  algorithm  to  this  reduced  network. 

1.  Set  i  —  1. 

2.  Find  the  highest  path  from  the  source  node  to  the  sink  node,  which  is  higher 
than  all  other  edges  in  the  network.  If  there  is  no  such  path  left,  exit.  The  steps 
for  finding  the  highest  path  are, 

(a)  Initializing,  set  the  virtual  edge  In{u)  as  e*,  and  the  source  node  u  as  r. 
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(b)  Let  6j  be  the  start  edge,  find  the  closest  output  edge  ea  from  the  edge  set 
Out(r)  according  to  the  clockwise  order  at  node  r.  Store  e*,  ea  and  r. 


(c)  If  the  edge  eD  =  Out(d),  exit;  otherwise,  set  e*  =  e0,  r  =  Endnode(e0)  and 
go  to  step  (b). 

3.  Determine  fi,  the  maximum  flow  along  this  path,  which  will  be  equal  to  the 
smallest  flow  amount  on  any  edge  in  the  path  (the  bottleneck  edge). 

4.  Store  this  path  as  Pathi  with  flow  amount  _/).  Subtract  fi  from  the  remaining 
flow  amount  for  each  edge  in  the  path.  Delete  the  edges  with  0  flow  amount. 

5.  Set  i  —  i  +  1.  Go  to  step  2. 

The  above  algorithm  is  to  re-organize  the  reduced  network  into  an  ordered  path 
set,  thus  it  completes  the  proof  of  Lemma  8.  We  point  out  that  there  is  no  need  of 
flow  increasing  on  backward  direction  as  in  the  original  Ford-Fulkerson  algorithm,  as 
we  are  already  dealing  with  the  reduced  network. 

4.8.3  Proof  of  Lemma  9 

We  prove  Lemma  9  by  contradiction.  Assume  that  Lemma  9  is  wrong  and  Pathi,  Path ^ 
can  share  one  edge  e  which  is  not  contained  in  Pathj  with  i  <  j  <  k.  Then  e  is  higher 
than  Pathj  since  Pathi  containing  edge  e  is  higher  than  Pathj.  On  the  other  hand, 
e  is  lower  than  Pathj  as  Pathk  is  lower  than  Pathj.  Thus  e  is  contained  in  Pathj, 
which  contradict  the  assumption. 
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4.8.4  Converse  proof  of  Theorem  15 

In  this  subsection  we  prove  the  converse  part  of  Theorem  15.  We  shall  show  that,  for 
any  admissible  rate  quadruple  (Rc,  Rp,  Retij),  ij  G  Ij  for  any  j  G  (1,2,  ••  •  ,  m),  there 
exist  auxiliary  numbers  and  auxiliary  random  variables  Ui .  — >  V*.  X^j  — >  Yj.Zjn 
j  =  1, 2,  •  •  •  ,  m,  such  that 


Re,ij 

< 

)  —  Cj)]+  +  -Rc  +  d'p  —  r^.  +  e 

(4.39) 

rb 

< 

ic,) 

+  min(/(C,;TJ),/(C,;^J))  +  e 

(4.40) 

Rc  +  Rp 

< 

m 

+e 

j= i 

(4.41) 

Ti- 

< 

7?c  +  +  e 

(4.42) 

Re,ij 

< 

i?c  +  e. 

(4.43) 

By  Fano’s  Lemma, 

we  have 

V£,  ■  "  , YL”J  <  £. 


By  the  geometry  of  parallel  path  network  and  the  standard  functional  dependence 
graphs  argument  [61],  we  know  for  ij  <  Lj  with  j  G  (1,  2,  •  •  •  ,  m ), 


Q T1  v  vn  vn  vn  v  vn  vn  vn 

Iil1  Ii2l"  '  )  1im  1  Ltl  1  L21  '  '  '  1  1  Ln 


forms  a  Markov  chain,  thus 


,Y“)  <  .Y^J  <e. 


n 


n 


Furthermore,  due  to  the  parallel  path  network  property,  for  the  different  paths,  j  ^ 
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k,  Yl;j Ztjj  — y  ST  — >  YikZik  is  also  shown  to  be  a  Markov  chain  by  the  functional 
dependence  graphs  argument.2 

Now  define  rl;j ,  ij  G  Ij  for  any  j  G  (1,  2,  •  •  •  ,  m),  as 

nr  ij  =  I  (ST ;  Yq.) 


Hence, 

f ij  =  —I (ST;  Yt  )  <  -H(ST)  <  Rc  +  Rp  +  e, 

J  n  J  n 

Re,i0  <  -H(S\ZV.)  <  - H(S )  <  Rc  +  e. 
n  3  n 

Thus  the  last  two  inequalities  of  Eqs.  (4.42)- (4.43)  are  established. 

Since  for  the  different  paths,  j  ^  k ,  Ytj Z%;j  — >  ST  — »  YikZik  forms  a  Markov  chain, 
we  then  have 


I(ST;Yh )  =  I(ST,Yi2,Yi3,---  ,Yim;Yh) 

=  I(ST;Yh\Yi2,Yiz,...  ,Yim)  +  I(Yh;Yi2,Yi3,.  ■  ■  ,Yim) 


>  I(ST;Yh\Yi2,Yi3,->.  ,Yim) 


=  H(ST)-H(ST\Yn,Yl2,Yi3,---  ,Yim)  ~  I(ST;Yi2,Yi3r  ■  ■  ,Yim). 


Thus  by  induction,  Eq.  (4.41)  holds,  as 


m  m 

nEr‘.  =  EI(ST’Y‘.'i 

3= 1  3= 1 


2We  comment  here  that  for  a  general  networks,  such  Markov  chain  is  not  established,  which  is 
the  main  reason  we  can  not  have  a  converse  proof  for  Theorem  14. 
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>  H(ST)-H(ST\Yh,Yi2,..-  ,Yim) 


>  n(Rc  +  Rp)  —  ne. 


Furthermore,  the  following  inequalities  can  be  obtained: 


H{S\Z$  <  H (<ST| Z^)  —  H (ST)  —  I (ST ;  Z™. ) 


I  (ST-  Y%) 


I(ST]  y{”)  -  I(ST;  Z%)  +  H{ST\Y%) 

I(ST-  Y£)  -  I(ST-,  Z£)  +  H(ST)  -  I  (ST;  Y£) 

I  (ST-  Y%)  -  I  (ST-  Z{ p  +  n(Rc  +  Rp)  -  nr h ;  (4.44) 

n  n 

£  +  £  nzf  t  ^iWr1) 

2=1  2=1 

n 

~'EI(zT’YvKlTS')-  <4-45) 

2=1 


1?. 


The  following  steps  are  similar  to  the  converse  proof  in  Section  2.6.1. 
=  (Yi.  i,  •  •  •  ,  Yi.i),  Zt]l  =  (Zljit  •  •  •  ,  Zijn),  we  have 


Dehne 


where, 


n 


I{ST;Y%)  = 

2=1 

(4.46) 

/(ST;  Zg)  = 

n 

Y.usrz^ 

2=1 

+  Eg  -  £*,., 

(4.47) 

n 

=  E^r- 
2=1 

w1)* 

sr 

l3 

7 

•<s> 

1 — 1 

eWd 

%i^)’ 

S2,q 

n 

=  E'(?i 
2=1 
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From  [3,  Lemma  7],  we  know 


Thus 


s*.  =  nr, 

0  t  7  J 


S2  ,ij  —  s2 1  . 


I(ST;Y»)  =  £ /(ST;  yyy^Zf1) + 


(4.48) 


X  /(ST;  lyvfzf 1 ')  +  £,*  -  Ey,, 


(4.49) 


E,,  = 


/(Zf1; E;l)'  ')  <  ^  (4-5°) 


Ef  = 


^/(r,;-‘;Z,J.|Z,‘+1)  <  ^/(Zf1!);-1;^,).  (4.51) 


Let  us  introduce  a  random  variable  J,  independent  of  (S',  T,  X]1, ,  1)",  Zj")  and  uni¬ 


formly  distributed  over  {!,•••  ,  n}.  By  setting 


Ui^Y^Z^J,  Vij  =  UijST,  Xh±XljJ, 


Yi.  4  y. 


Z,.  =  Z, 


we  get  Eqs.  (4.52)  and  (4.53)  by  combining  Eqs.  (4.46)-(4.51), 


(/(ST;  V)")  —  I  (ST ;  Z;”))  =  /(yV.jq)  - /(V^ly),  (4.52) 

—I(ST\  Yt  )  <  I(Vh-,Yh\Uh)  +  min(/(tt  ;U ),/(£/,, ;Z„))(4.53) 


Substituting  Eqs.  (4.52)  and  (4.53)  into  Eqs.  (4.44)  and  (4.45),  we  have 


-//(S|Z,“)  <  /(y;r,j|f/ij)-/(y;Zij|q)  +  flc  +  Rp-rij, 
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h(ST-Yn)  <  /(Vq.;  Yi^Uij)  +  mm(/([/q;  Yq),  I(Ui^  Z^)). 


Thus  Eqs.  (4.39)-(4.40)  hold  for  any  lj.  This  completes  the  converse  proof  of  Theo¬ 
rem  15. 
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Chapter  5 


Conclusions  and  Future  Work 

5.1  Conclusions 

This  thesis  studied  secure  communication  from  an  information  theoretic  perspective. 
First,  we  considered  capacity  bounds  for  discrete  memoryless  broadcast  channels  with 
two  confidential  messages.  Several  capacity  outer  bounds  were  proposed  which,  to¬ 
gether  with  a  previously  proposed  inner  bound,  help  establish  the  rate  equivocation 
region  of  several  classes  of  broadcast  channels.  In  addition,  by  removing  the  confiden¬ 
tiality  constraint,  the  proposed  outer  bounds  reduce  to  new  capacity  outer  bounds  for 
the  classical  discrete  memoryless  broadcast  channel.  Then,  we  studied  the  broadcast 
channel  with  confidential  and  public  messages  (BCCP)  model.  Its  more  liberal  treat¬ 
ment  of  the  non-confidential  message  -  the  requirement  that  the  unintended  receiver 
reliably  decode  the  non-confidential  message  is  dropped  -  results  in  an  enlarged  rate 
equivocation  region.  This  BCCP  framework  was  also  extended  to  systems  where  a 
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secret  key  is  available  to  the  intended  transceiver  pair.  Applying  this  key  enhanced 
BCCP  model,  we  further  studied  the  problem  of  secure  communication  over  a  net¬ 
work  in  which  each  link  is  subject  to  non-cooperating  eavesdropping.  A  single-source 
single-sink  acyclic  planar  network  was  considered,  and  the  achievable  rate  equivoca¬ 
tion  region  was  established  through  an  algorithmic  approach,  ft  combines  Shannon’s 
key  encryption,  Wyner’s  random  coding  and  the  Ford-Fulkerson  algorithm,  and  is 
readily  applicable  to  real  communication  networks. 

5.2  Future  Work 

The  proposed  coding  scheme  over  networks  deals  with  a  particular,  yet  widely  popular 
class  of  networks  and  is  very  promising  to  find  applications  in  many  practical  systems. 
It  also  lays  out  a  foundation  for  further  exploration  to  account  for  more  sophisticated 
threats  and  complex  networks.  We  discuss  two  such  extensions  below:  (1)  extending 
to  active  adversaries,  (2)  extending  to  networks  with  interference  at  nodes. 

5.2.1  Active  Adversary 

We  first  consider  an  extension  to  active  threat,  i.e.,  the  adversary  not  only  can  inter¬ 
cept  information  communicated  over  a  link  or  a  node,  but  may  be  able  to  alter  the 
information.  The  model  is  illustrated  in  Fig.  5.1. 

An  intuitive  approach  is  to  treat  the  signal  alteration  as  a  type  of  channel  error 
occurring  in  communication  systems.  As  such,  it  is  reasonable  to  consider  the  use  of 
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Figure  5.1:  An  example  of  network  with  malicious  link/node  (red  marked  ones) 

error  correction  coding  approach  in  dealing  with  this  kind  of  active  attacks. 

Information  theory  [6]  tells  us  that  for  any  given  channels,  it  is  possible  to  con¬ 
struct  error-correcting  codes  in  which  the  likelihood  of  failure  is  arbitrarily  low  as 
long  as  the  communication  rate  is  below  the  capacity.  Therefore,  if  the  attacking 
pattern  (i.e.,  error  probability  distribution)  of  the  malicious  adversary  is  known,  it  is 
easy  to  construct  error-correcting  codes  to  ensure  that  data  is  transmitted  through 
the  network.  However,  different  from  the  usual  transmission  with  errors  occurring 
at  temporally  random  instances,  the  data  alteration  occurs  at  random  nodes  in  the 
network  because  of  unknown  adversary  location.  Thus  protection  is  against  errors 
occurring  in  the  space  domain;  as  such,  redundancy  need  to  be  introduced  in  the 
space  domain.  This  was  also  introduced  by  Yeung  and  Cai  in  [62,63]  in  the  context 
of  network  coding  with  active  adversary  and  this  approach  can  be  adopted  to  tackle 
the  threat  considered  herein. 
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5.2.2  Networks  with  Interference 


Our  present  results  considered  the  orthogonal  transmission,  i.e.,  the  node  receives  the 
signals  from  different  links  without  interfering  amongst  themselves.  However,  when 
applying  it  to  wireless  systems,  the  broadcast  nature  of  wireless  transmissions  ren¬ 
ders  such  orthogonal  transmission  assumption  too  simplistic.  The  problem  becomes 
exceedingly  hard  in  the  presence  of  interference  and  not  much  is  known  for  such  a 
setup,  illustrated  in  Fig.  5.2. 


Figure  5.2:  An  example  of  network  with  interference,  where  the  dashed  green  circles 
on  the  nodes  represent  that  the  signals  received  at  those  nodes  are  interfering  with 
each  other. 

The  main  difficulties  in  dealing  with  arbitrary  relay  networks  are  (1)  the  broad¬ 
cast  nature  of  wireless  communications,  (2)  the  fact  that  signals  from  simultaneously 
transmitting  nodes  interfere  with  one  another  at  other  nodes.  These  give  rise  to  com¬ 
plex  signal  interactions  making  the  understanding  of  wireless  networks  difficult.  The 
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signal  interaction,  however,  also  provides  opportunities  for  secure  communication, 
e.g.,  facilitating  the  generation  of  secret  keys  among  communicating  nodes.  Studying 
the  secure  scheme  of  this  model  is  of  great  interest  and  also  challenge. 
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